Thanks guys all those replied to this post... What happened when there is no match? I read something about the each IOS sec+ box shipps with built-in default policies 6544x something?
So if no isakmp policies matches - will they negotiate to default one or initiator have no chance. How flexible is it - can we predict it by using some command not to use default if initiator can't find a match? On Wed, Mar 2, 2011 at 10:53 PM, Kingsley Charles < [email protected]> wrote: > The peer sends the configured ISAKMP policy to other peer. The other peer > compares the received policies with it's local policies starting from > highest to lowest priority. The first match it picked up. > > > With regards > Kings > > On Wed, Mar 2, 2011 at 3:27 PM, Serious CCIE <[email protected]>wrote: > >> Folks, >> I was wondering, how does the tunnel decide which crypto isakmp policy to >> pickup? >> in other words, how do we marry ISAKMP profile with end points? >> >> Let's say this is my scenario: >> >> R1----R2 >> >> >> | >> | >> R3 >> >> 1. Both R2 and R3 connects to R1. >> 2. R2 want to pick policy with 3DES >> 3. R3 want to pick policy with DES >> >> Typically, all the example that I came across have the matching policy >> number in this scenario with ISAKMP policy. >> >> >> in this case R2 will be configured with "cry isakmp policy 100" and R3 will >> be configured "cry isakmp policy 200". >> >> Is that assumption correct? or there is a criteria re how does it pick up? >> >> >> >> On R1: >> ------- >> crypto isakmp policy 100 >> encr 3des >> <------------------ 3DES >> hash md5 >> authentication pre-share >> group 2 >> >> crypto isakmp policy 200 >> encr des <--------------------Just DES >> hash md5 >> authentication pre-share >> group 1 <---Group1 >> >> >> what is the tie breaker? >> >> >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
