Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Deafult isakmp crypto policy - IOS 15.2(3)T3

Hello All,

Wondering if the policies shown in:

"show crypto isakmp default policy" command

are in force and can potentially be negotiated, even when I have an isakmp policy defined on the configruation explicitly, allowing only needed security protocols.

IOS is 15.2(3)T3

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Deafult isakmp crypto policy - IOS 15.2(3)T3

I think this will be key to understanding:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/15-mt/sec-ipsec-usability-enhance.html#GUID-ECDF5542-90E7-42D4-A690-BA7520AF4E90

 If you have neither manually configured IKE policies with thecrypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. 
3 REPLIES
Cisco Employee

Deafult isakmp crypto policy - IOS 15.2(3)T3

I think this will be key to understanding:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_imgmt/configuration/15-mt/sec-ipsec-usability-enhance.html#GUID-ECDF5542-90E7-42D4-A690-BA7520AF4E90

 If you have neither manually configured IKE policies with thecrypto isakmp policy command nor disabled the default IKE policies with the no crypto isakmp default policy command, the default IKE policies will be used during peer IKE negotiations. 
Community Member

Deafult isakmp crypto policy - IOS 15.2(3)T3

Following your link found another key to understanding :

User Configured IKE Policies

You may configure IKE policies with the crypto isakmp policy command. User configured IKE policies are uniquely identified and configured with a priority number ranging from 1-10000, where 1 is the highest priority and 10000 the lowest priority.

Once you have configured one or more IKE policies with a priority of 1-10000:

  • The user configured policies will be used during peer IKE negotiations.
  • The default IKE policies will no longer used during peer IKE negotiations.
  • The user configured policies may be displayed by issuing the show crypto isakmp policy command.
Cisco Employee

Deafult isakmp crypto policy - IOS 15.2(3)T3

if you re-read the sentence I quoted it will claim the same

Anyway, you should just go with IKEv2 and smart defaults ;-)

358
Views
0
Helpful
3
Replies
CreatePlease to create content