The remote peer, who is starting the VPN, will send their proposal one by one until it get matched on local device. If remote peer offers des/md5, local router would try from 1 to 200 or from first policy that you have configured until the last policy. Once that match, they are fine
On Wed, Mar 2, 2011 at 6:57 AM, Serious CCIE <[email protected]> wrote: > Folks, > I was wondering, how does the tunnel decide which crypto isakmp policy to > pickup? > in other words, how do we marry ISAKMP profile with end points? > > Let's say this is my scenario: > > R1----R2 > > | > | > R3 > > 1. Both R2 and R3 connects to R1. > 2. R2 want to pick policy with 3DES > 3. R3 want to pick policy with DES > > Typically, all the example that I came across have the matching policy number > in this scenario with ISAKMP policy. > > in this case R2 will be configured with "cry isakmp policy 100" and R3 will > be configured "cry isakmp policy 200". > > Is that assumption correct? or there is a criteria re how does it pick up? > > > On R1: > ------- > crypto isakmp policy 100 > encr 3des > <------------------ 3DES > hash md5 > authentication pre-share > group 2 > > crypto isakmp policy 200 > encr des <--------------------Just DES > hash md5 > authentication pre-share > group 1 <---Group1 > > > what is the tie breaker? > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
