?
Solved

VPN IKE Settings on Cisco ASA 5520

Posted on 2011-10-19
2
Medium Priority
?
639 Views
Last Modified: 2012-05-12
I have a SonicWall VPN endpoint and we are in the process of upgrading IKE (Phase 1) & IPSEC (Phase 2) settings on our client VPN tunnels that are set at lower settings.

Twice now (on seperate VPNs) we have attempted to upgrade the connections on a tunnel with a Cisco ASA 5520.  Phase 1 & 2 were both set to 3DES/MD5.  We upgraded both to AES-256/SHA1 and the tunnel did not come up.  When I set Phase 1 on my end back to 3DES/MD5 and left Phase 2 at AES-256/SHA1 the tunnel came back up.  The network engineer on the Cisco end swears that he set them both to AES-256/SHA1 but when he looks in the logs he sees the traffic is 3DES/MD5 on IKE.

Can anyone give me some hints on where to let my counterparts look to correct this and bring IKE (Phase 1) up to AES-256/SHA1?

Thanks!
0
Comment
Question by:VIBT
2 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37037937
Let's see, first you define the transform set like:

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

And you apply it to a crypto map:

crypto map my_map 10 set transform-set ESP-AES-256-SHA

Ehr, that was phase 2 so you should have that already (I'll just leave it here).

For phase 1 you should have something like:

crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

Depends a bit on the version of the software.
0
 

Author Closing Comment

by:VIBT
ID: 37331293
I passed on the information and they were able to solve it.

Thanks!

(They never would tell me if this was their problem or if they found it in another spot.  I suspect this was it...)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question