Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISAKMP policy number order?

Hey there!

When i am making my ISAKMP, does the policy number matter what it is? if so, what is so signifigant about it? see example below

crypto isakmp enable outside
crypto isakmp identity address
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400

i see some at times that have 20, 30 after the policy...what does it mean?

4 REPLIES
Cisco Employee

Re: ISAKMP policy number order?

Hi,

This number allows you to create several ISAKMP policies in case you have several peers which don't have the same policy.

HTH

Laurent.

New Member

Re: ISAKMP policy number order?

I thought that meant priority number? I am just confused because i dont want to mess up my current tunnels....

How does the Crypto's reference ISAKMP? Also, Can i use the same ISAKMP on different crypto's?

Cisco Employee

Re: ISAKMP policy number order?

Hi,

There is no link between your crypto used for IPSec and ISAKMP policies. When a router initiate an IPSec tunnel, it will start with the ISAKMP phase.

During this first phase,

1- Both peers will exchange all their ISAKMP policies until they agree on a common one.

2- Once it's done this policy will be applied to encrypt further exchanges and to do the authentication.

So the number means in which order the different policies will be submitted to the peer until a common one is found.

Adding a new ISAKMP policy will not break anything.

HTH

Laurent.

Bronze

Re: ISAKMP policy number order?

Just to add to this... the number *does* matter if you'd like to prefer one policy over another. Since it processes the policies sequentially and the first match is chosen, you might consider putting the strong methods first (like aes-256, aes) and something like MD5 last. The reason you see gaps in number is likely so that someone can insert a new policy in the middle without having to re-number everything.

James

3432
Views
5
Helpful
4
Replies