10-01-2007 07:26 AM
Does an ISAKMP policy have to be defined for an IPSEC connection or can it be left out of the config and defaults used?
And if an ISAKMP policy is not defined in relation to a Crypto Map, what parameters does Phase 1 use?
10-01-2007 08:30 PM
Hi,
You can use the default isakmp policy. The only thing that you need to make sure is the remote side of the VPN Tunnel matches the values in the default isakmp policy.
For example, on Cisco devices the default isakmp policy is DES, SHA, RSA-SIG, DH Group 1 and lifetime 86400 seconds.
2821#show crypto isakmp policy
Global IKE policy
Default protection suite encryption algorithm:
DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit
And for example, if you want to do Pre-shared key authentication and use the default isakmp policy, Phase 1 of the IPSEC Tunnel will not work since the default isakmp policy is configured for RSA-Signatures while the router is configured with Pre-Shared Key. So, you may want to create an isakmp policy with authentication pre-share.
crypto isakmp policy 10
authentication pre-share
I hope it helps.
Regards,
Arul
** Please rate helpful posts **
10-01-2007 11:58 PM
Thanks for the reply, very useful.
So am I correct in assuming that if there is no ISAKMP policy present and listed in the config then the Crypto map will be using the global default instead?
Thanks.
10-02-2007 01:17 PM
Yes, that is my understanding.
Regards,
Arul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: