Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN L2L - Explicit Phase 1 SA settings


I was wondering, is it possible to explicitly set the IKE SA policy through the tunnel group settings? My understanding is the first isakmp policy that matches on both ends is the selected one.

I want to make sure the SA settings I gave to the other company are the one we told them without impacting any other existing VPN tunnels.

To be more expliciti want to make sure, encryption aes, hash sha,DH group 2, are the settings that will be used and nothing else. All this without removing existing isakmp policies (if possible).


New Member

Re: VPN L2L - Explicit Phase 1 SA settings


If I understand your request correctly, I think you just need to configure an IKE poicy and give it the higher priority (lower number ) than the existing policies, by that you will be sure that this policy will be used first, and by the way if the IKE policy will match only identical IKE policy at your side, so regardless the priority of this policy, it will be matched.

example of IKE policy for this :

isakmp policy 1 ecncr aes

isakmp policy 1 auth pre-share

isakmp policy 1 hash sha

isakmp policy 1 group 2

hope its helpful

with regards

New Member

Re: VPN L2L - Explicit Phase 1 SA settings


Actually that is almost what I want to do.

I was wondering if there is a way to assign a isakmp policy to a tunnel group or a crypto map but more likely to a tunnel group.Because if I modify the priority of the isakmp policy then i will influence all the vpn going through phase 1 that will potentially match first the policy with a higher priority. So at then I could en up with phase 1 settings changed for existing vpns.