VPN L2L - Explicit Phase 1 SA settings

Unanswered Question
May 12th, 2008
User Badges:


I was wondering, is it possible to explicitly set the IKE SA policy through the tunnel group settings? My understanding is the first isakmp policy that matches on both ends is the selected one.

I want to make sure the SA settings I gave to the other company are the one we told them without impacting any other existing VPN tunnels.

To be more expliciti want to make sure, encryption aes, hash sha,DH group 2, are the settings that will be used and nothing else. All this without removing existing isakmp policies (if possible).


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
alanajjar Tue, 05/13/2008 - 06:13
User Badges:


If I understand your request correctly, I think you just need to configure an IKE poicy and give it the higher priority (lower number ) than the existing policies, by that you will be sure that this policy will be used first, and by the way if the IKE policy will match only identical IKE policy at your side, so regardless the priority of this policy, it will be matched.

example of IKE policy for this :

isakmp policy 1 ecncr aes

isakmp policy 1 auth pre-share

isakmp policy 1 hash sha

isakmp policy 1 group 2

hope its helpful

with regards

deephazz02 Tue, 05/13/2008 - 08:56
User Badges:


Actually that is almost what I want to do.

I was wondering if there is a way to assign a isakmp policy to a tunnel group or a crypto map but more likely to a tunnel group.Because if I modify the priority of the isakmp policy then i will influence all the vpn going through phase 1 that will potentially match first the policy with a higher priority. So at then I could en up with phase 1 settings changed for existing vpns.



This Discussion