adding/editing a global ikev2 IKE policy - ipsec site to site vpn already in place

philb19
philb19 used Ask the Experts™
on
Can I edit an IKEv2 policy by adding encryption standards - without breaking current ipsec vpn that uses those policies?

id like to try add sha256 to encryption + add to prf and integrity hash's - cant seem to get azure ipsec vpn working with VTI route based asa 9.9 (2)
Capture.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
i don't know for your router model, but usually adding something to a set of proposals does not break anything existing.
However, you never can tell for sure. It depends on the other sites whether they can cope with more proposals than before. At least that has been an issue with IKEv1 ...
Pete LongTechnical Consultant

Commented:
Agreed, remember the proposals are usually processed in order (priority) so if you already have weaker proposals in the policy with a higher priority they will continue to match first.

IKE will proceed on the first matching policy (usually.)

</P>

Author

Commented:
Just an update we got this working :)

We set a priority of 5 (high) with aes-256 and sha-256  prf hash sha256 DH group 24 2 14

Also important was this I believe

From - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Cisco      ASA      8.3
8.4+ (IKEv2*)      Supported      Configuration guide*

note the asterisks *

so we also did the following:

The * says Azure requires policy based traffic selections for Cisco 8.4+ and ikev2  we are running 9.9 (2)

* Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with "UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.

To  create the policy based settings against azure:

https://docs.microsoft.com/bs-latn-ba/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

these are all Powershell settings against azure

Thankyou all

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial