Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Default ISAKMP Policy

I have a PIX firewall with various VPNs.

One of these VPNs is configured without an ISAKMP policy, as such I assume it is using the Global Default Policy.

DES

Secure Hash Standard

Rivest-Shamir-Adleman Signature

Diffie-Hellman group:#1 (768 bit)

86400 seconds

But the VPN also has a transform set of esp-aes-256 esp-sha-hmac and i'm not sure how this affects the overall configuration?

In trying to configure a site to site VPN what settings would I need to give to the other end?

Also how does the transform set relate to the ISAKMP policy, what is the distinction between the two?

Basically this VPN drops regularly and I am trying to rule out config error and confirm what settings I have and/or should have.

Help.

Mike

2 REPLIES
Silver

Re: Default ISAKMP Policy

The ISAKMP policy you have listed is Phase 1. The transform set is used for Phase 2 negotiations, so they are completely unrelated. Phase 1 builds a tunnel to encrypt the Phase 2 negotiation. To configure, a site-to-site VPN. You will need to give them all of your Phase 1 (encryption, hash, dh group, timeout, key, etc) vaules and all of the Phase 2 values. If any of the values does not match, then you will not build a connection, so you must be sure that both ends are negotiating the same.

Community Member

Re: Default ISAKMP Policy

Thanks for the reply.

The setup is a lot clearer now.

The connection actually works 90% of the time, but drops out quite often.

Show isamkp sa will list the VPN as MM_NO_STATE?

Could you offer an insight as to what the cause may be of this? A configuration error is unlikely I presume?

Thanks.

288
Views
0
Helpful
2
Replies
CreatePlease to create content