Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using 2 ISAKMP policies, if policy 10 fails, try policy 20

I use pre-shared keys for authentication, and I have written an automated script for periodically updating (rotating) keys. However, sometimes the rotation fails and I get paged in the middle of the night. So I had an idea:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr aes 256
group 5
crypto isakmp key badkeysecret address 0.0.0.0 0.0.0.0

I was thinking that if the pre-share policy fails, the next policy would be tried. This doesn't seem to be the case. When I test in the lab by putting different pre-shared keys on the peers, I simply get the message "Nov  2 08:50:05.525: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.1       failed its sanity check or is malformed"

So, policies don't work the way I thought?

Thanks,

Steve

Everyone's tags (3)
5 REPLIES
Hall of Fame Super Gold

Re: Using 2 ISAKMP policies, if policy 10 fails, try policy 20

I think you are missing the fact that isakmp keys are global configuration commands, not specific to numbered policy entries.

New Member

Re: Using 2 ISAKMP policies, if policy 10 fails, try policy 20

Thanks for the response . . . but I don't follow. You're saying the "key" command is global, understood . . .  but policy 10 fails because the keys don't match, and policy 20 uses certificates for authentication. You're saying policy 20 wouldn't be tried?

Thanks,

Steve

Hall of Fame Super Gold

Re: Using 2 ISAKMP policies, if policy 10 fails, try policy 20

Either have pre-shared, matching keys, or certificates.

Seems reasonable to me.

New Member

Re: Using 2 ISAKMP policies, if policy 10 fails, try policy 20

Hahahaha . . . me too. So I wonder why it doesn't work?

Thanks,

Steve

Hall of Fame Super Gold

Re: Using 2 ISAKMP policies, if policy 10 fails, try policy 20

Because as you noted, your key mismatches, and no certificate is tried.

Probably WAD.

1054
Views
0
Helpful
5
Replies
CreatePlease to create content