Default ISAKMP Policy

Unanswered Question
Nov 2nd, 2007

I have a PIX firewall with various VPNs.

One of these VPNs is configured without an ISAKMP policy, as such I assume it is using the Global Default Policy.


Secure Hash Standard

Rivest-Shamir-Adleman Signature

Diffie-Hellman group:#1 (768 bit)

86400 seconds

But the VPN also has a transform set of esp-aes-256 esp-sha-hmac and i'm not sure how this affects the overall configuration?

In trying to configure a site to site VPN what settings would I need to give to the other end?

Also how does the transform set relate to the ISAKMP policy, what is the distinction between the two?

Basically this VPN drops regularly and I am trying to rule out config error and confirm what settings I have and/or should have.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The ISAKMP policy you have listed is Phase 1. The transform set is used for Phase 2 negotiations, so they are completely unrelated. Phase 1 builds a tunnel to encrypt the Phase 2 negotiation. To configure, a site-to-site VPN. You will need to give them all of your Phase 1 (encryption, hash, dh group, timeout, key, etc) vaules and all of the Phase 2 values. If any of the values does not match, then you will not build a connection, so you must be sure that both ends are negotiating the same.

mikedelafield Mon, 11/05/2007 - 07:36

Thanks for the reply.

The setup is a lot clearer now.

The connection actually works 90% of the time, but drops out quite often.

Show isamkp sa will list the VPN as MM_NO_STATE?

Could you offer an insight as to what the cause may be of this? A configuration error is unlikely I presume?



This Discussion