crypto ikev1 policy [priority]
Configures an IKEv1 policy with a specified priority for IPsec VPN negotiations on Cisco ASA Firewall.
Overview
The 'crypto ikev1 policy' command is used on Cisco ASA Firewalls to define Internet Key Exchange (IKE) version 1 policies for IPsec VPN tunnels. IKEv1 is the original key exchange protocol that establishes security associations (SAs) for IPsec. This command enters a sub-configuration mode where you specify parameters such as encryption algorithm, authentication method, hash algorithm, Diffie-Hellman group, and lifetime. These parameters are proposed to the remote peer during Phase 1 of IKE negotiation. The ASA supports multiple policies with different priorities; the lower the priority number, the higher the preference. During negotiation, the ASA sends its list of policies to the peer, and the first policy that matches both sides is selected. This command is essential for site-to-site VPNs and remote access VPNs using IKEv1. On the ASA platform, IKEv1 policies are configured globally and can be applied to crypto maps. Troubleshooting often involves verifying that the configured policies match the peer's capabilities. The command is used in global configuration mode and requires the 'ipsec' license on some models.
crypto ikev1 policy [priority]When to Use This Command
- Setting up a site-to-site VPN between a Cisco ASA and a remote peer with specific encryption and authentication parameters.
- Configuring remote access VPN for mobile workers using IKEv1 with pre-shared keys.
- Defining multiple IKE policies with different priorities to allow fallback during negotiation.
- Migrating from IKEv1 to IKEv2 by first configuring IKEv1 policies for backward compatibility.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| priority | 1-65535 | Unique integer identifying the policy. Lower numbers have higher priority. The ASA will attempt to match policies in ascending order of priority. |
Command Examples
Configure IKEv1 Policy with Priority 10
crypto ikev1 policy 10ciscoasa(config)# crypto ikev1 policy 10 ciscoasa(config-ikev1-policy)# authentication pre-share ciscoasa(config-ikev1-policy)# encryption aes-256 ciscoasa(config-ikev1-policy)# hash sha ciscoasa(config-ikev1-policy)# group 2 ciscoasa(config-ikev1-policy)# lifetime 86400 ciscoasa(config-ikev1-policy)# exit
Enters IKEv1 policy configuration mode for priority 10. Sets authentication to pre-shared key, encryption to AES-256, hash to SHA, Diffie-Hellman group 2, and lifetime to 86400 seconds (24 hours).
View Configured IKEv1 Policies
show crypto ikev1 policyIKEv1 Policy List Policy: 10, Lifetime: 86400 secs Encryption: AES256, Authentication: Pre-share, Hash: SHA DH Group: 2 Policy: 20, Lifetime: 86400 secs Encryption: 3DES, Authentication: Pre-share, Hash: SHA DH Group: 2
Displays all configured IKEv1 policies. Policy 10 uses AES256, policy 20 uses 3DES. The ASA will try higher priority (lower number) first during negotiation.
Understanding the Output
The 'show crypto ikev1 policy' command lists all configured IKEv1 policies in order of priority (lower number = higher priority). Each policy shows the lifetime in seconds, encryption algorithm (e.g., AES256, 3DES, DES), authentication method (pre-share or rsa-sig), hash algorithm (SHA, MD5), and Diffie-Hellman group (1, 2, 5, etc.). Healthy values include strong encryption (AES256), SHA hash, and group 2 or higher. Problem values might include weak encryption like DES, MD5 hash, or group 1, which are less secure. If no policies are configured, the output will be empty, and VPN negotiations will fail. The ASA uses these policies to match with the peer's proposal; the first matching policy (by priority) is used.
Configuration Scenarios
Site-to-Site VPN with Strong Encryption
Two offices connected via internet; need secure VPN with AES-256 and SHA-256.
Topology
[HQ ASA] --- Internet --- [Branch ASA]Steps
- 1.Configure IKEv1 policy on HQ ASA with priority 10, AES-256, SHA, DH group 5, pre-share, lifetime 86400.
- 2.Configure identical policy on Branch ASA.
- 3.Apply policy to crypto map and enable on interface.
! HQ ASA crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 ! Branch ASA (same configuration)
Verify: Use 'show crypto ikev1 policy' to confirm policies. Use 'debug crypto ikev1' to see negotiation.
Watch out: Both peers must have identical IKE parameters; otherwise negotiation fails.
Remote Access VPN with Multiple Policies
ASA supports remote clients with varying capabilities; need fallback policies.
Topology
[Client] --- Internet --- [ASA]Steps
- 1.Configure policy 10 with AES-256, SHA, group 2.
- 2.Configure policy 20 with 3DES, SHA, group 2 as fallback.
- 3.Enable IKEv1 on outside interface.
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
Verify: Check 'show crypto ikev1 sa' to see active SAs.
Watch out: Ensure the client supports at least one policy; otherwise connection fails.
Troubleshooting with This Command
When troubleshooting IKEv1 VPN issues on Cisco ASA, start by verifying that IKEv1 policies are configured correctly using 'show crypto ikev1 policy'. Ensure the peer's proposed parameters match one of your policies. Common issues include mismatched encryption, hash, DH group, or authentication method. Use 'debug crypto ikev1 127' to see detailed negotiation messages. Look for 'NO_PROPOSAL_CHOSEN' errors indicating policy mismatch. Also check that the pre-shared key is identical on both sides. If the VPN fails to establish, verify that the crypto map is applied to the correct interface and that the access-list permits the traffic. The 'show crypto ikev1 sa' command shows active Phase 1 SAs; if the state is not MM_ACTIVE, the negotiation is incomplete. Check timestamps and lifetimes; if the lifetime is too short, rekeying may fail. On ASA, ensure that the 'isakmp enable' command is issued on the outside interface. Also verify that the ASA has a route to the peer. For remote access, check that the group policy and tunnel-group are configured. Use 'show crypto isakmp stats' for counters. If using certificates, ensure the CA is trusted. Finally, check the ASA logs for IKE error messages.
CCNA Exam Tips
Remember that lower priority numbers are tried first; the ASA matches the first policy that both sides support.
Know the default IKEv1 policy parameters: encryption DES, hash MD5, DH group 1, lifetime 86400 seconds.
Be able to identify weak configurations (e.g., DES, MD5, group 1) that should be avoided in production.
Common Mistakes
Setting a very short lifetime (e.g., 300 seconds) causing frequent rekeying and potential VPN drops.
Using incompatible DH groups or encryption algorithms between peers, leading to negotiation failure.
Forgetting to specify authentication method (default is rsa-sig) when using pre-shared keys, causing mismatch.
Platform Notes
On Cisco ASA, IKEv1 is configured using 'crypto ikev1 policy' (as opposed to 'crypto isakmp policy' on IOS). The ASA supports IKEv1 and IKEv2; IKEv1 is the older protocol. The command syntax is similar to IOS but with slight differences (e.g., 'authentication pre-share' vs 'authentication pre-share'). On ASA version 9.x and later, IKEv1 is still supported but IKEv2 is recommended for new deployments. The ASA does not support all DH groups; common groups are 1, 2, 5, 14, 19, 20, 21. The default IKEv1 policy on ASA is encryption DES, hash MD5, DH group 1, lifetime 86400 seconds. For security, always override defaults. On IOS routers, the equivalent command is 'crypto isakmp policy'. On ASA, the 'crypto ikev1 enable' command is used to enable IKEv1 on an interface. Note that on some ASA models, the 'ipsec' license may be required for VPN features. When migrating from IOS to ASA, be aware of these differences.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions