Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
2
Replies

VPN Crypto ISAKMP Policy Force-Selection

Dominic W
Level 1
Level 1

‎09-20-2017 11:19 PM - edited ‎03-12-2019 04:33 AM

Hello all,

 

I've been struggling with the following...

I have got a Cisco 2800 router which has mulitple S2S VPN tunnels to various sites.

However, one VPN tunnel does not negotiate synchronous Phase 1 SA times.
On the other end (Check Point) a lifetime of 8 hours is set, while at my site an SA time of 24 hours is set.

I feel like there is some compatiblity issues action going on...

 

However, the only thing I want to know is whether it is possible to force an ISAKMP policy number to a specified VPN peer.

It seems like it is impossible, however, I find that hard to believe that it actually is impossible.

Does someone know how to do it?

 

PS: I don't want to change the desired ISAKMP policy to a higher priority, since it will have negative impact on the rest of VPN tunnels.

 

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎09-20-2017 11:55 PM

The two ends should negotiate the smaller of those two settings.

 

I don't think you can forice IKEv1 to do this.  You can do this using IKEv2 - but if the remote party supported IKEv2 you probably wouldn't have a problem.

 

0 Helpful

Dominic W
Level 1
Level 1
In response to Philip D'Ath

‎09-20-2017 11:59 PM

Well we are using IKEv1 for all the tunnels.

Regarding the time negotiation, I also think the smaller one should be chosen.

That is why I think there is some compatiblity issues going on.

In some cases it does spontaneously negotiate 8 hours, but most of the time it doesn't.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents