If there is no match, the ISAKMP negotiation fails and is terminated. On Wed, Mar 2, 2011 at 7:00 PM, Serious CCIE <[email protected]> wrote:
> Thanks guys all those replied to this post... > > What happened when there is no match? > I read something about the each IOS sec+ box shipps with built-in default > policies 6544x something? > > So if no isakmp policies matches - will they negotiate to default one or > initiator have no chance. How flexible is it - can we predict it by using > some command not to use default if initiator can't find a match? > > > > > > On Wed, Mar 2, 2011 at 10:53 PM, Kingsley Charles < > [email protected]> wrote: > >> The peer sends the configured ISAKMP policy to other peer. The other peer >> compares the received policies with it's local policies starting from >> highest to lowest priority. The first match it picked up. >> >> >> With regards >> Kings >> >> On Wed, Mar 2, 2011 at 3:27 PM, Serious CCIE <[email protected]>wrote: >> >>> Folks, >>> I was wondering, how does the tunnel decide which crypto isakmp policy to >>> pickup? >>> in other words, how do we marry ISAKMP profile with end points? >>> >>> Let's say this is my scenario: >>> >>> R1----R2 >>> >>> >>> >>> | >>> | >>> R3 >>> >>> 1. Both R2 and R3 connects to R1. >>> 2. R2 want to pick policy with 3DES >>> 3. R3 want to pick policy with DES >>> >>> Typically, all the example that I came across have the matching policy >>> number in this scenario with ISAKMP policy. >>> >>> >>> >>> in this case R2 will be configured with "cry isakmp policy 100" and R3 will >>> be configured "cry isakmp policy 200". >>> >>> Is that assumption correct? or there is a criteria re how does it pick up? >>> >>> >>> >>> >>> On R1: >>> ------- >>> crypto isakmp policy 100 >>> encr 3des >>> <------------------ 3DES >>> hash md5 >>> authentication pre-share >>> group 2 >>> >>> crypto isakmp policy 200 >>> encr des <--------------------Just DES >>> hash md5 >>> authentication pre-share >>> group 1 <---Group1 >>> >>> >>> what is the tie breaker? >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
