Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Phase 1 - not negotiating properly?

I have a couple of VPN endpoints negotiationg 28800 lifetime, and some 86400 (default).  One site, however, is configured with only one policy (86400) but negotiating at 28800.  Shouldn't it pick up policy 2 instead?  I know that between Cisco devices, the lower lifetime is used, but why are some picking up 86400 and some not?

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

7 REPLIES

Re: Phase 1 - not negotiating properly?

Hi,

If you have both sites with the default phase 1 lifetime, that's what they will negotiate.

If both sites have 28800, that's what they will negotiate.

You're correct in that the lowest lifetime will be negotiated.

This applies to the sequence of the isakmp policies.

For instance,

Any router negotiating with this particular router, will negotiate a phase 1 lifetime of 28800 unless having configured the 86400 value in which case will match policy 2

Federico.

New Member

Re: Phase 1 - not negotiating properly?

That's the thing though, one site has only 1 policy with 86400 and is picking up the 28800.

Re: Phase 1 - not negotiating properly?

But on that site with a single policy, do you see the policy like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 86400

Or like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

The difference is if the lifetime is hardcoded.

If this site has the first policy it should negotiate policy 2, but if it has the second policy it will go for policy 1.

Federico.

New Member

Re: Phase 1 - not negotiating properly?

I tried to hardcode it on my end just to see, but it still shows up the same because it's default.

The remote site looks like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group  2

Re: Phase 1 - not negotiating properly?

I think I was confused.

I believe that a policy if it matches the encryption, hash, authentication and D-H group, it will then negotiate the lowest lifetime.

I think now that is normal behavior what you're seeing.

Federico.

New Member

Re: Phase 1 - not negotiating properly?

That's the way I understood it, but I'm just confused why some pick up 86400 ?

Re: Phase 1 - not negotiating properly?

The other devices that pick up the default 86400 match the all the values for the first policy? (encryption, hash, authentication and D-H).

Federico.

287
Views
0
Helpful
7
Replies