VPNGlobal Config

crypto ikev1 policy [priority]

Configures an IKEv1 policy with a specified priority for IPsec VPN negotiations on Cisco ASA Firewall.

Overview

The 'crypto ikev1 policy' command is used on Cisco ASA Firewalls to define Internet Key Exchange (IKE) version 1 policies for IPsec VPN tunnels. IKEv1 is the original key exchange protocol that establishes security associations (SAs) for IPsec. This command enters a sub-configuration mode where you specify parameters such as encryption algorithm, authentication method, hash algorithm, Diffie-Hellman group, and lifetime. These parameters are proposed to the remote peer during Phase 1 of IKE negotiation. The ASA supports multiple policies with different priorities; the lower the priority number, the higher the preference. During negotiation, the ASA sends its list of policies to the peer, and the first policy that matches both sides is selected. This command is essential for site-to-site VPNs and remote access VPNs using IKEv1. On the ASA platform, IKEv1 policies are configured globally and can be applied to crypto maps. Troubleshooting often involves verifying that the configured policies match the peer's capabilities. The command is used in global configuration mode and requires the 'ipsec' license on some models.

Syntax·Global Config
crypto ikev1 policy [priority]

When to Use This Command

  • Setting up a site-to-site VPN between a Cisco ASA and a remote peer with specific encryption and authentication parameters.
  • Configuring remote access VPN for mobile workers using IKEv1 with pre-shared keys.
  • Defining multiple IKE policies with different priorities to allow fallback during negotiation.
  • Migrating from IKEv1 to IKEv2 by first configuring IKEv1 policies for backward compatibility.

Parameters

ParameterSyntaxDescription
priority1-65535Unique integer identifying the policy. Lower numbers have higher priority. The ASA will attempt to match policies in ascending order of priority.

Command Examples

Configure IKEv1 Policy with Priority 10

crypto ikev1 policy 10
ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400
ciscoasa(config-ikev1-policy)# exit

Enters IKEv1 policy configuration mode for priority 10. Sets authentication to pre-shared key, encryption to AES-256, hash to SHA, Diffie-Hellman group 2, and lifetime to 86400 seconds (24 hours).

View Configured IKEv1 Policies

show crypto ikev1 policy
IKEv1 Policy List
Policy: 10, Lifetime: 86400 secs
  Encryption: AES256, Authentication: Pre-share, Hash: SHA
  DH Group: 2
Policy: 20, Lifetime: 86400 secs
  Encryption: 3DES, Authentication: Pre-share, Hash: SHA
  DH Group: 2

Displays all configured IKEv1 policies. Policy 10 uses AES256, policy 20 uses 3DES. The ASA will try higher priority (lower number) first during negotiation.

Understanding the Output

The 'show crypto ikev1 policy' command lists all configured IKEv1 policies in order of priority (lower number = higher priority). Each policy shows the lifetime in seconds, encryption algorithm (e.g., AES256, 3DES, DES), authentication method (pre-share or rsa-sig), hash algorithm (SHA, MD5), and Diffie-Hellman group (1, 2, 5, etc.). Healthy values include strong encryption (AES256), SHA hash, and group 2 or higher. Problem values might include weak encryption like DES, MD5 hash, or group 1, which are less secure. If no policies are configured, the output will be empty, and VPN negotiations will fail. The ASA uses these policies to match with the peer's proposal; the first matching policy (by priority) is used.

Configuration Scenarios

Site-to-Site VPN with Strong Encryption

Two offices connected via internet; need secure VPN with AES-256 and SHA-256.

Topology

[HQ ASA] --- Internet --- [Branch ASA]

Steps

  1. 1.Configure IKEv1 policy on HQ ASA with priority 10, AES-256, SHA, DH group 5, pre-share, lifetime 86400.
  2. 2.Configure identical policy on Branch ASA.
  3. 3.Apply policy to crypto map and enable on interface.
Configuration
! HQ ASA
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
! Branch ASA (same configuration)

Verify: Use 'show crypto ikev1 policy' to confirm policies. Use 'debug crypto ikev1' to see negotiation.

Watch out: Both peers must have identical IKE parameters; otherwise negotiation fails.

Remote Access VPN with Multiple Policies

ASA supports remote clients with varying capabilities; need fallback policies.

Topology

[Client] --- Internet --- [ASA]

Steps

  1. 1.Configure policy 10 with AES-256, SHA, group 2.
  2. 2.Configure policy 20 with 3DES, SHA, group 2 as fallback.
  3. 3.Enable IKEv1 on outside interface.
Configuration
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

Verify: Check 'show crypto ikev1 sa' to see active SAs.

Watch out: Ensure the client supports at least one policy; otherwise connection fails.

Troubleshooting with This Command

When troubleshooting IKEv1 VPN issues on Cisco ASA, start by verifying that IKEv1 policies are configured correctly using 'show crypto ikev1 policy'. Ensure the peer's proposed parameters match one of your policies. Common issues include mismatched encryption, hash, DH group, or authentication method. Use 'debug crypto ikev1 127' to see detailed negotiation messages. Look for 'NO_PROPOSAL_CHOSEN' errors indicating policy mismatch. Also check that the pre-shared key is identical on both sides. If the VPN fails to establish, verify that the crypto map is applied to the correct interface and that the access-list permits the traffic. The 'show crypto ikev1 sa' command shows active Phase 1 SAs; if the state is not MM_ACTIVE, the negotiation is incomplete. Check timestamps and lifetimes; if the lifetime is too short, rekeying may fail. On ASA, ensure that the 'isakmp enable' command is issued on the outside interface. Also verify that the ASA has a route to the peer. For remote access, check that the group policy and tunnel-group are configured. Use 'show crypto isakmp stats' for counters. If using certificates, ensure the CA is trusted. Finally, check the ASA logs for IKE error messages.

CCNA Exam Tips

1.

Remember that lower priority numbers are tried first; the ASA matches the first policy that both sides support.

2.

Know the default IKEv1 policy parameters: encryption DES, hash MD5, DH group 1, lifetime 86400 seconds.

3.

Be able to identify weak configurations (e.g., DES, MD5, group 1) that should be avoided in production.

Common Mistakes

Setting a very short lifetime (e.g., 300 seconds) causing frequent rekeying and potential VPN drops.

Using incompatible DH groups or encryption algorithms between peers, leading to negotiation failure.

Forgetting to specify authentication method (default is rsa-sig) when using pre-shared keys, causing mismatch.

Platform Notes

On Cisco ASA, IKEv1 is configured using 'crypto ikev1 policy' (as opposed to 'crypto isakmp policy' on IOS). The ASA supports IKEv1 and IKEv2; IKEv1 is the older protocol. The command syntax is similar to IOS but with slight differences (e.g., 'authentication pre-share' vs 'authentication pre-share'). On ASA version 9.x and later, IKEv1 is still supported but IKEv2 is recommended for new deployments. The ASA does not support all DH groups; common groups are 1, 2, 5, 14, 19, 20, 21. The default IKEv1 policy on ASA is encryption DES, hash MD5, DH group 1, lifetime 86400 seconds. For security, always override defaults. On IOS routers, the equivalent command is 'crypto isakmp policy'. On ASA, the 'crypto ikev1 enable' command is used to enable IKEv1 on an interface. Note that on some ASA models, the 'ipsec' license may be required for VPN features. When migrating from IOS to ASA, be aware of these differences.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions