Hello everyone, I am working on Task 4.4 in Lab 4A and was having problems with my isakmp policy taking the default parameters. I looked at the DSG and noticed that I had everything configured except for the default keyring in my ISAKMP profile. As soon as I configured 'keyring default', the VPN chose my configured policy
>From the docs, it says: Defaults: "If this command is not used, the ISAKMP profile uses the keys defined in the global configuration." Usage Guidelines: "The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used." Can anyone enlighten me on why the keyring would affect which ISAKMP Proposal is chosen? I can see it affecting authentication, but not the actual proposal, since that happens first. I must be missing something. ### Without 'keyring default' ### Config: crypto isakmp profile R5-PROFILE ! This profile is incomplete (no match identity statement) self-identity fqdn initiate mode aggressive Output from R2 Debug: Mar 1 15:53:36.739: %CRYPTO-4-IKE_DEFAULT_POLICY_ACCEPTED: IKE default policy was matched and is being used. Mar 1 15:53:36.935: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 8.9.50.5 is bad: CA request failed! Mar 1 15:53:36.939: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE ============================================== ### With 'keyring default' ### Config: crypto isakmp profile R5-PROFILE ! This profile is incomplete (no match identity statement) keyring default self-identity fqdn initiate mode aggressive ! Output from R2 Debug: Mar 1 15:59:37.167: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy Mar 1 15:59:37.171: ISAKMP: encryption AES-CBC Mar 1 15:59:37.171: ISAKMP: keylength of 192 Mar 1 15:59:37.175: ISAKMP: hash SHA Mar 1 15:59:37.175: ISAKMP: default group 1 Mar 1 15:59:37.175: ISAKMP: auth pre-share Mar 1 15:59:37.175: ISAKMP: life type in seconds Mar 1 15:59:37.175: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Mar 1 15:59:37.175: ISAKMP:(0):atts are acceptable. Next payload is 0 I appeciate the feedback. Thanks, Jamie Brogdon, CCIE #6541 (SP and R&S) / JNCIE-M #381 Verizon Telecom, IP Networks 703-579-7354 (cell)
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
