cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7335
Views
10
Helpful
5
Replies

ISAKMP policy number order?

cisco_himg
Level 1
Level 1

Hey there!

When i am making my ISAKMP, does the policy number matter what it is? if so, what is so signifigant about it? see example below

crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

i see some at times that have 20, 30 after the policy...what does it mean?

5 Replies 5

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

This number allows you to create several ISAKMP policies in case you have several peers which don't have the same policy.

HTH

Laurent.

I thought that meant priority number? I am just confused because i dont want to mess up my current tunnels....

How does the Crypto's reference ISAKMP? Also, Can i use the same ISAKMP on different crypto's?

Hi,

There is no link between your crypto used for IPSec and ISAKMP policies. When a router initiate an IPSec tunnel, it will start with the ISAKMP phase.

During this first phase,

1- Both peers will exchange all their ISAKMP policies until they agree on a common one.

2- Once it's done this policy will be applied to encrypt further exchanges and to do the authentication.

So the number means in which order the different policies will be submitted to the peer until a common one is found.

Adding a new ISAKMP policy will not break anything.

HTH

Laurent.

Just to add to this... the number *does* matter if you'd like to prefer one policy over another. Since it processes the policies sequentially and the first match is chosen, you might consider putting the strong methods first (like aes-256, aes) and something like MD5 last. The reason you see gaps in number is likely so that someone can insert a new policy in the middle without having to re-number everything.

James

Perry Gisclair
Level 1
Level 1

I know this is old but word to the wise, in your isakmp policy do not use 1,2,3,4,5 . . . .  Use 10,20,30,40,50 . . .  That allows you to flexibility to insert additional combinations of encryption, hash, etc, etc anywhere in the list order.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: