Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

IKE policies negotiation algorithm

Hi!

Suppose we have two IKE policies on RouterA and RouterB:

crypto isakmp policy 1

...

crypto isakmp policy 2

...

Policy 1 on RouterA is the same as Policy 2 on RouterB and vice versa.

What will be negotiated?

Also, does the policy "priority" matter? Suppose RouterB's Policy100 is

identical to RouterA's Policy2 and RouterB's Policy200 is identical to

RouterA's Policy1. What will be negotiated?

Oleg Tipisov,

REDCENTER,

Moscow

2 REPLIES
New Member

Re: IKE policies negotiation algorithm

Oleg,

The prio number will determine in which order the policies will be checked.

If one matching policy is found, then SA will be established.

Suppose RouterA contacts B to setup a VPN, then it sends all his policies to B. B will look in his policies (from lowest to highest number) and checks if it has found a match.

Due to the fact policy 2 of B matches policy 1 of router A, this combination will be taken to further upon.

So, the router triggering the setup of VPN tunnel will determine which combination will be taken.

Kind Regards,

Kurt

ovt Bronze
Bronze

Re: IKE policies negotiation algorithm

Kurt,

after your "answer" I had to check it myself and found out that you're wrong with

your conclusions. Debug shows:

1. Initiator of the tunnel sends ISAKMP policies to the peer

2. Responder checks received policy 1 against local priority 1 policy (doesn't match)

3. Responder checks received policy 2 against local priority 1 policy (matches)

4. Initiator of the tunnel receives ISAKMP policies from the peer

5. Initiator checks received policy 1 against local priority 1 policy (doesn't match)

6. Initiator checks received policy 1 against local priority 2 policy (matches)

So, the policy 1 of B (responder) is negotiated.

Next time, please, do not answer if you don't know the exact answer.

Thank you,

Oleg Tipisov,

REDCENTER,

Moscow

152
Views
0
Helpful
2
Replies
CreatePlease login to create content