cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
739
Views
0
Helpful
3
Replies

Deafult isakmp crypto policy - IOS 15.2(3)T3

Ruterford
Level 1
Level 1

Hello All,

Wondering if the policies shown in:

"show crypto isakmp default policy" command

are in force and can potentially be negotiated, even when I have an isakmp policy defined on the configruation explicitly, allowing only needed security protocols.

IOS is 15.2(3)T3

Thanks!

1 Accepted Solution

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

I think this will be key to understanding:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/15-mt/sec-ipsec-usability-enhance.html#GUID-ECDF5542-90E7-42D4-A690-BA7520AF4E90

 If you have neither manually configured IKE policies with thecrypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. 

View solution in original post

3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

I think this will be key to understanding:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/15-mt/sec-ipsec-usability-enhance.html#GUID-ECDF5542-90E7-42D4-A690-BA7520AF4E90

 If you have neither manually configured IKE policies with thecrypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. 

Following your link found another key to understanding :

User Configured IKE Policies

You may configure IKE policies with the crypto isakmp policy command. User configured IKE policies are uniquely identified and configured with a priority number ranging from 1-10000, where 1 is the highest priority and 10000 the lowest priority.

Once you have configured one or more IKE policies with a priority of 1-10000:

  • The user configured policies will be used during peer IKE negotiations.
  • The default IKE policies will no longer used during peer IKE negotiations.
  • The user configured policies may be displayed by issuing the show crypto isakmp policy command.

if you re-read the sentence I quoted it will claim the same

Anyway, you should just go with IKEv2 and smart defaults ;-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: