ASA - IKE proposal parameters
When implementing the IKEv2 proposal on a Cisco ASA, you must implement the following for it to be considered complete:
- at least one encryption algorithm
- at least one integrity algorithm
- at least one DH group
For each of these, you can configure multiple types. For example, you can configure encryption like so:
ASA1(config-ikev2-policy)# encryption aes 3des
The ASA will attempt to negotiate the encryption method in the priority order that you place the commands. The two ASAs must agree on the encryption method in order for an SA to form.
The same is true about the group. You can configure it like so:
ASA1(config-ikev2-policy)# group 2 5
Where group 2 will be attempted first, and if it fails, group 5 will be tried.
The prf sha command is essentially the same as the integrity algorithm.
A pair of ASAs will attempt to find the same encryption, integrity, and group numbers in order to successfully create an SA. Otherwise it will fail.
However, for IKEv2, the lifetime values can be different, since lifetimes are not negotiated, in contrary to IKEv1.
Links:
https://forum.networklessons.com/t/cisco-asa-site-to-site-ikev2-ipsec-vpn/829/63?u=lagapides
https://networklessons.com/cisco/asa-firewall/cisco-asa-site-site-ikev2-ipsec-vpn