Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can an ISAKMP profile be associated with a ISAKMP policy

Hi All

When using ISAKMP profiles with vrf aware IPSEC is it possible to associate a ISAKMP profile to an ISAKMP policy?

If, for example, two connections use the same ISAKMP encryption, hash and DF parameters, but ideally should use different lifetimes, is there a way of linking the different ISAKMP profiles with different ISAKMP policies such that during negotiation with the remote peers the lifetime does not negotiate 'down' to the value of the policy which has the highest priority?

Another example may be a connection between two devices which both serve a number of different connections:

device A : ISAKMP connection 1 hash sha (priority 1)

ISAKMP connection 2 hash md5 (priority 2)

device B : ISAKMP connection 1 hash sha (priority 1)

ISAKMP connection 2 hash md5 (priority 2)

Would there be any way to configue a particular connection between devices A and B to use hash md5, or would they always agree on hash sha, because they have this parameter in common (bearing in mind that device A may be using the sha parameter for.device C and device B may be using the SHA parameter for device D).

Thanks in Advance :)

1 REPLY
Silver

Re: Can an ISAKMP profile be associated with a ISAKMP policy

crypto isakmp policy

Use this command to specify the parameters to be used during an IKE negotiation. (These parameters are used to create the IKE security association [SA].)

This command invokes the Internet Security Association Key Management Protocol policy configuration (config-isakmp) command mode. While in the ISAKMP policy configuration command mode, the following commands are available to specify the parameters in the policy:

encryption (IKE policy); default = 56-bit DES-CBC

hash (IKE policy); default = SHA-1

crypto ipsec security-association lifetime; default = RSA signatures

group (IKE policy); default = 768-bit Diffie-Hellman

lifetime (IKE policy); default = 86,400 seconds (one day)

123
Views
0
Helpful
1
Replies