adding/editing a global ikev2 IKE policy - ipsec site to site vpn already in place

philb19 used Ask the Experts™
Can I edit an IKEv2 policy by adding encryption standards - without breaking current ipsec vpn that uses those policies?

id like to try add sha256 to encryption + add to prf and integrity hash's - cant seem to get azure ipsec vpn working with VTI route based asa 9.9 (2)
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

i don't know for your router model, but usually adding something to a set of proposals does not break anything existing.
However, you never can tell for sure. It depends on the other sites whether they can cope with more proposals than before. At least that has been an issue with IKEv1 ...
Pete LongTechnical Consultant

Agreed, remember the proposals are usually processed in order (priority) so if you already have weaker proposals in the policy with a higher priority they will continue to match first.

IKE will proceed on the first matching policy (usually.)



Just an update we got this working :)

We set a priority of 5 (high) with aes-256 and sha-256  prf hash sha256 DH group 24 2 14

Also important was this I believe

From -

Cisco      ASA      8.3
8.4+ (IKEv2*)      Supported      Configuration guide*

note the asterisks *

so we also did the following:

The * says Azure requires policy based traffic selections for Cisco 8.4+ and ikev2  we are running 9.9 (2)

* Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.

To  create the policy based settings against azure:

these are all Powershell settings against azure

Thankyou all

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial