Can you have multiple crypto isakmp policies on a router?

Answered Question
Jan 14th, 2008
User Badges:

I have an 1841 router acting as a hub for multiple IPSec tunnels. I have one ISAKMP policy that looks like this:


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ******** address x.x.x.x

crypto isakmp key ******** address y.y.y.y

crypto isakmp key ******** address z.z.z.z



I want to start using AES as the ISAKMP encryption protocol, but I can't be there to change the other ends of all of the other tunnels. Can I create another crypto isakmp policy 2 and just put the pre-shared key for the new connections under that one while I am migrating?


Thanks,


Chris

Correct Answer by Jon Marshall about 9 years 4 months ago

Chris


You can have multiple isakmp policies on your router. The router will run through them in order until it finds a match. So you just need to add a new isakmp policy with a different sequence number eg.


crypto isakmp policy 2

encr aes

auth pre-share

group 2


This will not affect your original isakmp policy.


Not sure what you mean by putting the pre-shared key "under" the isakmp policy. The key is not tied to anyone isakmp policy - you can see this from the configuration you supply above.


All you need to do to switch over is to configure the isakmp policy on your 1841 router and then change the remote sites over as and when you can. The ones you have changed will use AES, the one you haven't yet changed will continue to use 3DES.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 01/14/2008 - 16:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Chris


You can have multiple isakmp policies on your router. The router will run through them in order until it finds a match. So you just need to add a new isakmp policy with a different sequence number eg.


crypto isakmp policy 2

encr aes

auth pre-share

group 2


This will not affect your original isakmp policy.


Not sure what you mean by putting the pre-shared key "under" the isakmp policy. The key is not tied to anyone isakmp policy - you can see this from the configuration you supply above.


All you need to do to switch over is to configure the isakmp policy on your 1841 router and then change the remote sites over as and when you can. The ones you have changed will use AES, the one you haven't yet changed will continue to use 3DES.


HTH


Jon

olighec Mon, 01/14/2008 - 16:42
User Badges:

Jon,


Thanks! That helps a lot.


You are also right that the crypto isakmp key ****** address x.x.x.x are not part of the crypto isakmp policy. I had assumed they were as they were always directly underneath the isakmp policy with no blank lines between. Now that I have added the second policy, the keys moved down.


Thanks!

Actions

This Discussion