ISAKMP Policy

mikedelafield · ‎10-01-2007

Does an ISAKMP policy have to be defined for an IPSEC connection or can it be left out of the config and defaults used?

And if an ISAKMP policy is not defined in relation to a Crypto Map, what parameters does Phase 1 use?

ajagadee · ‎10-01-2007

Hi,

You can use the default isakmp policy. The only thing that you need to make sure is the remote side of the VPN Tunnel matches the values in the default isakmp policy.

For example, on Cisco devices the default isakmp policy is DES, SHA, RSA-SIG, DH Group 1 and lifetime 86400 seconds.

2821#show crypto isakmp policy

Global IKE policy

Default protection suite encryption algorithm:

DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)lifetime: 86400 seconds, no volume limit

And for example, if you want to do Pre-shared key authentication and use the default isakmp policy, Phase 1 of the IPSEC Tunnel will not work since the default isakmp policy is configured for RSA-Signatures while the router is configured with Pre-Shared Key. So, you may want to create an isakmp policy with authentication pre-share.

crypto isakmp policy 10

authentication pre-share

I hope it helps.

Regards,

Arul

** Please rate helpful posts **

mikedelafield · ‎10-01-2007

Thanks for the reply, very useful.

So am I correct in assuming that if there is no ISAKMP policy present and listed in the config then the Crypto map will be using the global default instead?

Thanks.

ajagadee · ‎10-02-2007

Yes, that is my understanding.

Regards,

Arul