01-20-2010 05:32 PM
Hey there!
When i am making my ISAKMP, does the policy number matter what it is? if so, what is so signifigant about it? see example below
crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
i see some at times that have 20, 30 after the policy...what does it mean?
01-20-2010 06:20 PM
Hi,
This number allows you to create several ISAKMP policies in case you have several peers which don't have the same policy.
HTH
Laurent.
01-20-2010 07:16 PM
I thought that meant priority number? I am just confused because i dont want to mess up my current tunnels....
How does the Crypto's reference ISAKMP? Also, Can i use the same ISAKMP on different crypto's?
01-21-2010 10:10 AM
Hi,
There is no link between your crypto used for IPSec and ISAKMP policies. When a router initiate an IPSec tunnel, it will start with the ISAKMP phase.
During this first phase,
1- Both peers will exchange all their ISAKMP policies until they agree on a common one.
2- Once it's done this policy will be applied to encrypt further exchanges and to do the authentication.
So the number means in which order the different policies will be submitted to the peer until a common one is found.
Adding a new ISAKMP policy will not break anything.
HTH
Laurent.
01-22-2010 10:41 PM
Just to add to this... the number *does* matter if you'd like to prefer one policy over another. Since it processes the policies sequentially and the first match is chosen, you might consider putting the strong methods first (like aes-256, aes) and something like MD5 last. The reason you see gaps in number is likely so that someone can insert a new policy in the middle without having to re-number everything.
James
12-17-2020 01:19 PM
I know this is old but word to the wise, in your isakmp policy do not use 1,2,3,4,5 . . . . Use 10,20,30,40,50 . . . That allows you to flexibility to insert additional combinations of encryption, hash, etc, etc anywhere in the list order.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide