ASA 8.2 vs 8.4 crypto isakmp/ikev vpnsetup question.

So crypto isakmp (8.2 & <) has been replaced with crypto ikev (8.4 & >). But if you go to an ASA with 8.4 or greater and run the vpnsetup command 

 

Step 2 says

2. Configure ISAKMP policy

crypto isakmp policy 65535

authentication pre-share

encryption aes

hash sha

 

and 

 

Step 10 says 

10. Enable isakmp on interface

crypto isakmp enable outside

 

Cisco doc is updated

 

Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

 

 

Configuration Example for L2TP over IPsec Using ASA 8.2.5

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

 

I guess its safe to say that the vpnsetup command has not been updated yet. My question is if you try and run the command the old way (crypto isakmp policy), on an 8.4 version or higher, the syntax is taken even though it shows Unrecognized command but it automatically converts it for you. While I expect to use the new method if I find myself on an 8.4 or greater version I am just curious if there is any difference should one use the old method (crypto isakmp policy) to configure it as against the new method (crypto ikev1 policy). 

 

Comments

  • I haven’t noticed any differences, but it’s better to use the new version of the commands so in case you get stuck or need to see options you can do a “?”.  Otherwise the context help won’t work.
    -Dan

    On Feb 10, 2014, at 6:09 AM, Cisco_Baba <[email protected]> wrote:

    So crypto isakmp (8.2 & <) has been replaced with crypto ikev (8.4 & >). But if you go to an ASA with 8.4 or greater and run the vpnsetup command 

     

    Step 2 says

    2. Configure ISAKMP policy

    crypto isakmp policy 65535

    authentication pre-share

    encryption aes

    hash sha

     

    and 

     

    Step 10 says 

    10. Enable isakmp on interface

    crypto isakmp enable outside

     

    Cisco doc is updated

     

    Configuration Example for L2TP over IPsec Using ASA 8.4.1 and later

    crypto ikev1 enable outside

    crypto ikev1 policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

     
     

    Configuration Example for L2TP over IPsec Using ASA 8.2.5

    crypto isakmp enable outside

    crypto isakmp policy 10

    authentication pre-share

    encryption 3des

    hash sha

    group 2

    lifetime 86400

     

    I guess its safe to say that the vpnsetup command has not been updated yet. My question is if you try and run the command the old way (crypto isakmp policy), on an 8.4 version or higher, the syntax is taken even though it shows Unrecognized command but it automatically converts it for you. While I expect to use the new method if I find myself on an 8.4 or greater version I am just curious if there is any difference should one use the old method (crypto isakmp policy) to configure it as against the new method (crypto ikev1 policy). 

     



    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Hi,

        So they had to keep both command syntaxes available, so that when you upgrade fromt he old code to the new one, the commands are automatically changed for you, you don't have to do it manually offline.

        At the same time, because commands are no longer available in context-sensitive help, it means that these will be no longer available at some point in time with the newer release codes. So getting used with new command syntax is a must.

    Regards,

    Cristian.

Sign In or Register to comment.