ISAKMP policy number order?

Unanswered Question
Jan 20th, 2010
User Badges:

Hey there!


When i am making my ISAKMP, does the policy number matter what it is? if so, what is so signifigant about it? see example below


crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400


i see some at times that have 20, 30 after the policy...what does it mean?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Laurent Aubert Wed, 01/20/2010 - 18:20
User Badges:
  • Cisco Employee,

Hi,


This number allows you to create several ISAKMP policies in case you have several peers which don't have the same policy.


HTH


Laurent.

cisco_himg Wed, 01/20/2010 - 19:16
User Badges:

I thought that meant priority number? I am just confused because i dont want to mess up my current tunnels....


How does the Crypto's reference ISAKMP? Also, Can i use the same ISAKMP on different crypto's?

Laurent Aubert Thu, 01/21/2010 - 10:10
User Badges:
  • Cisco Employee,

Hi,


There is no link between your crypto used for IPSec and ISAKMP policies. When a router initiate an IPSec tunnel, it will start with the ISAKMP phase.


During this first phase,

1- Both peers will exchange all their ISAKMP policies until they agree on a common one.

2- Once it's done this policy will be applied to encrypt further exchanges and to do the authentication.


So the number means in which order the different policies will be submitted to the peer until a common one is found.


Adding a new ISAKMP policy will not break anything.


HTH


Laurent.

busterswt Fri, 01/22/2010 - 22:41
User Badges:
  • Bronze, 100 points or more

Just to add to this... the number *does* matter if you'd like to prefer one policy over another. Since it processes the policies sequentially and the first match is chosen, you might consider putting the strong methods first (like aes-256, aes) and something like MD5 last. The reason you see gaps in number is likely so that someone can insert a new policy in the middle without having to re-number everything.


James

Actions

This Discussion