Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
400
Views
0
Helpful
5
Replies

VPN iskam policy phase1

pdara0001
Level 1
Level 1

‎07-09-2014 05:50 PM

Hi guy, for me, i don understand clearly relate to policy iskam in ASA. So i raise this topic up to ask
who experience more years with VPN. Assume that I already configure VPN site to site to my branch office in my ASA 5510. and my next goal is to configure VPN remote access for this ASA also. but what my question would to ask you is : in my vpn site to site, i created iskam policy already, so in my vpn remote access, need to create it again or not ?

Labels:
0 Helpful
5 Replies 5

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-09-2014 07:02 PM

Hi ,

 

IPSec is primary protocol used in L2L and Remote Access VPN deployment.
If you are using IPsec Remote Access VPN , you dont need to create new ISAKMP policies.
For SSL based Remote Access VPN , ISAKMP policies are not needed as they are part of IPSec VPN.

 

Here is the document that you can refer :-
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html


Regards,
Dinesh Moudgil

P.S Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

pdara0001
Level 1
Level 1
In response to Dinesh Moudgil

‎07-10-2014 12:10 AM

Hi, Actually, I configure remote access on protocol IPsec. so if in protocol ipsec, we have no need
to create iskam policy phase1 again right ??

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to pdara0001

‎07-10-2014 12:13 AM

Remember that IKEv1 policy defines:

- authentication method (PSK/RSA)

- encryption 

- hashing 

- DH group 

If all of those agree for remote access and l2l then you do not need add new policies. 

IKEv2 policies instead have sets of acceptable algorithms in a single policy (devices pick the "best" from proposed). 

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎07-10-2014 01:33 AM

Hi,

 

If you are using IPSec as Remote Access VPN protocol , then you dont have to create new isakmp profiles unless the ones present are not negotiating with the client.
Hope that helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

pdara0001
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-10-2014 01:40 AM

yeah thank i will try with your exploitation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents