1 Reply Latest reply on Nov 27, 2018 10:10 PM by Sreec

    NSX IPSEC VPN to Cisco ASA

    wreedMH Enthusiast

      Anyone accomplished this? Any tips/tricks?

        • 1. Re: NSX IPSEC VPN to Cisco ASA
          Sreec Master
          Community WarriorsvExpert

          Few points to be noted are as follows

           

          Below mentioned are the algorithm that is supported

           

          • AES (AES128-CBC)
          • AES256 (AES256-CBC)
          • Triple DES (3DES192-CBC)
          • AES-GCM (AES128-GCM)
          • DH-2 (Diffie–Hellman group 2)
          • DH-5 (Diffie–Hellman group 5)
          • DH-14 (Diffie–Hellman group 14)
          • DH-15 (Diffie–Hellman group 15)
          • DH-16 (Diffie–Hellman group 16)

           

          Phase 1 Parameters

          Phase 1 sets up mutual authentication of the peers, negotiates cryptographic parameters, and creates session keys. The Phase 1 parameters used by NSX Edge are:

          • Main mode
          • TripleDES / AES [Configurable]
          • SHA-1
          • MODP group 2 (1024 bits)
          • pre-shared secret [Configurable]
          • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
          • ISAKMP aggressive mode disabled

          Phase 2 Parameters

          IKE Phase 2 negotiates an IPSec tunnel by creating keying material for the IPSec tunnel to use (either by using the IKE phase one keys as a base or by performing a new key exchange). The IKE Phase 2 parameters supported by NSX Edge are:

          • TripleDES / AES [Will match the Phase 1 setting]
          • SHA-1
          • ESP tunnel mode
          • MODP group 2 (1024 bits)
          • Perfect forward secrecy for rekeying
          • SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
          • Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets

           

          Ensure that algorithm and Phase1 & Phase 2 settings are correct on both the sides.

           

          There are few examples  mentioned in below links including CISCO ASA .

           

          IPSec VPN Configuration Examples