05-12-2008 08:12 AM - edited 03-11-2019 05:43 AM
Hello,
I was wondering, is it possible to explicitly set the IKE SA policy through the tunnel group settings? My understanding is the first isakmp policy that matches on both ends is the selected one.
I want to make sure the SA settings I gave to the other company are the one we told them without impacting any other existing VPN tunnels.
To be more expliciti want to make sure, encryption aes, hash sha,DH group 2, are the settings that will be used and nothing else. All this without removing existing isakmp policies (if possible).
Regards.
05-13-2008 06:13 AM
Hi,
If I understand your request correctly, I think you just need to configure an IKE poicy and give it the higher priority (lower number ) than the existing policies, by that you will be sure that this policy will be used first, and by the way if the IKE policy will match only identical IKE policy at your side, so regardless the priority of this policy, it will be matched.
example of IKE policy for this :
isakmp policy 1 ecncr aes
isakmp policy 1 auth pre-share
isakmp policy 1 hash sha
isakmp policy 1 group 2
hope its helpful
with regards
05-13-2008 08:56 AM
Hi,
Actually that is almost what I want to do.
I was wondering if there is a way to assign a isakmp policy to a tunnel group or a crypto map but more likely to a tunnel group.Because if I modify the priority of the isakmp policy then i will influence all the vpn going through phase 1 that will potentially match first the policy with a higher priority. So at then I could en up with phase 1 settings changed for existing vpns.
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: