Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disable ISAKMP Default Policy?

Is there any way to disable or change the ISAKMP default policy?  I have created policy number 20 which is used in a site-to-site VPN but during a PCI quarterly scan the results come back failed to due to successful phase 1 authentication with DES/DH768 encryption.  I have reproduced those results using ike-scan with explicit DES/DH768 settings.

This is a 2600 Router, and I just upgraded the IOS to 12.4(23) because I came across Cisco documentation (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html) that says 12.4(20) introduced the 'no crypto isakmp default policy' - but I don't see that command available to me still.  Below are results of sh crypto isakmp policy:

Protection suite of priority 20

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Any help would be greatly appreciated!

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Disable ISAKMP Default Policy?

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

2 REPLIES
New Member

Re: Disable ISAKMP Default Policy?

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

New Member

Re: Disable ISAKMP Default Policy?

I figured as much, with this router being so old but was hoping that wasn't the case.  Thanks for your reply and answering my question!

3308
Views
0
Helpful
2
Replies