How to use different Policies in VPN setup

Answered Question
Jul 19th, 2010

Hello,

I'm trying to setup two different policies in a cisco 1760 VPN router. Say Policy 10 and 20 as below

------------------------

crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2

-----------------

What i want to know is, how can i use different policies for different peers since some customers want 3DES/MD5 and some 3DES/SHA with group 2 etc.

For example, for customer A, i need to use Policy 10 and for customer B, i need to policy 20.

Let me know how i can bind the policy according to my needs as currently all defaults to one single policy. I have this option in Nortel and other Firewall boxes and i'm not sure how i can do this.

I have this problem too.
0 votes
Correct Answer by Jitendriya Athavale about 6 years 6 months ago

we do not have any such binding as far as ikakmp policies are concerned

probably you can just play with the order of the isakmp polices and who initiates first, these are the only 2 ways of achieving this as i see

first play with the order of isakmp policies

second it also depends on who is initiating it

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jitendriya Athavale Mon, 07/19/2010 - 05:45

you can just configure all the policies and it will present all proposals to the other

end and depending on whichever policy matches, the policy is selected

TRACKME_2 Mon, 07/19/2010 - 22:09

Thanks for the reply. Do you mean to say that the router will check what response it gets from the remote peer and bind accordingly.

If that is the case, how this scenario will work for me

In router A, i have policy 10 and policy 20 and similarly in Remote end router called B, i have same policy settings like 10 and 20.

What i should so that router A and B peers with policy 20 instead of 10.

As per your reply, router will send both policy 10 and 20 for peering and both policies will match but i dont want policy 10 to be used, so how can we force so that the VPN should be up with policy 20 only and not with 10???

We have this option in Nortel and Juniper where we can specify the encryption settings to each specific VPN as we need.

Please advise.

Correct Answer
Jitendriya Athavale Tue, 07/20/2010 - 04:35

we do not have any such binding as far as ikakmp policies are concerned

probably you can just play with the order of the isakmp polices and who initiates first, these are the only 2 ways of achieving this as i see

first play with the order of isakmp policies

second it also depends on who is initiating it

TRACKME_2 Wed, 07/21/2010 - 02:12

Thanks and i think this is the only way we can use to force the encryption settings. Thanks again for your kind help.

Actions

This Discussion