Can you have multiple crypto isakmp policies on a router?

Answered Question
Jan 14th, 2008

I have an 1841 router acting as a hub for multiple IPSec tunnels. I have one ISAKMP policy that looks like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ******** address x.x.x.x

crypto isakmp key ******** address y.y.y.y

crypto isakmp key ******** address z.z.z.z

I want to start using AES as the ISAKMP encryption protocol, but I can't be there to change the other ends of all of the other tunnels. Can I create another crypto isakmp policy 2 and just put the pre-shared key for the new connections under that one while I am migrating?

Thanks,

Chris

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 10 months ago

Chris

You can have multiple isakmp policies on your router. The router will run through them in order until it finds a match. So you just need to add a new isakmp policy with a different sequence number eg.

crypto isakmp policy 2

encr aes

auth pre-share

group 2

This will not affect your original isakmp policy.

Not sure what you mean by putting the pre-shared key "under" the isakmp policy. The key is not tied to anyone isakmp policy - you can see this from the configuration you supply above.

All you need to do to switch over is to configure the isakmp policy on your 1841 router and then change the remote sites over as and when you can. The ones you have changed will use AES, the one you haven't yet changed will continue to use 3DES.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 01/14/2008 - 16:36

Chris

You can have multiple isakmp policies on your router. The router will run through them in order until it finds a match. So you just need to add a new isakmp policy with a different sequence number eg.

crypto isakmp policy 2

encr aes

auth pre-share

group 2

This will not affect your original isakmp policy.

Not sure what you mean by putting the pre-shared key "under" the isakmp policy. The key is not tied to anyone isakmp policy - you can see this from the configuration you supply above.

All you need to do to switch over is to configure the isakmp policy on your 1841 router and then change the remote sites over as and when you can. The ones you have changed will use AES, the one you haven't yet changed will continue to use 3DES.

HTH

Jon

olighec Mon, 01/14/2008 - 16:42

Jon,

Thanks! That helps a lot.

You are also right that the crypto isakmp key ****** address x.x.x.x are not part of the crypto isakmp policy. I had assumed they were as they were always directly underneath the isakmp policy with no blank lines between. Now that I have added the second policy, the keys moved down.

Thanks!

Actions

This Discussion