VPN IKE Settings on Cisco ASA 5520

Posted on 2011-10-19
Last Modified: 2012-05-12
I have a SonicWall VPN endpoint and we are in the process of upgrading IKE (Phase 1) & IPSEC (Phase 2) settings on our client VPN tunnels that are set at lower settings.

Twice now (on seperate VPNs) we have attempted to upgrade the connections on a tunnel with a Cisco ASA 5520.  Phase 1 & 2 were both set to 3DES/MD5.  We upgraded both to AES-256/SHA1 and the tunnel did not come up.  When I set Phase 1 on my end back to 3DES/MD5 and left Phase 2 at AES-256/SHA1 the tunnel came back up.  The network engineer on the Cisco end swears that he set them both to AES-256/SHA1 but when he looks in the logs he sees the traffic is 3DES/MD5 on IKE.

Can anyone give me some hints on where to let my counterparts look to correct this and bring IKE (Phase 1) up to AES-256/SHA1?

Question by:VIBT
    LVL 35

    Accepted Solution

    Let's see, first you define the transform set like:

    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    And you apply it to a crypto map:

    crypto map my_map 10 set transform-set ESP-AES-256-SHA

    Ehr, that was phase 2 so you should have that already (I'll just leave it here).

    For phase 1 you should have something like:

    crypto isakmp policy 10
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400

    Depends a bit on the version of the software.

    Author Closing Comment

    I passed on the information and they were able to solve it.


    (They never would tell me if this was their problem or if they found it in another spot.  I suspect this was it...)

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now