Also,
If there is no match between the user-defined isakmp policies, there could
still be a match between default isakmp policies. On a 12.4(15)T router with
no user-defined isakmp config there is already an isakmp policy built into
the IOS:
------------------------------------------
Router#show crypto isakmp policy
Global IKE policy
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit
keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Router#
------------------------------------------
The later versions of IOS have multiple built in policies:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html#wp1164552
Cheers : )
Jerome
On Thu, Mar 3, 2011 at 12:46 AM, Kingsley Charles <
[email protected]> wrote:
> If there is no match, the ISAKMP negotiation fails and is terminated.
>
>
> On Wed, Mar 2, 2011 at 7:00 PM, Serious CCIE <[email protected]>wrote:
>
>> Thanks guys all those replied to this post...
>>
>> What happened when there is no match?
>> I read something about the each IOS sec+ box shipps with built-in default
>> policies 6544x something?
>>
>> So if no isakmp policies matches - will they negotiate to default one or
>> initiator have no chance. How flexible is it - can we predict it by using
>> some command not to use default if initiator can't find a match?
>>
>>
>>
>>
>>
>> On Wed, Mar 2, 2011 at 10:53 PM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> The peer sends the configured ISAKMP policy to other peer. The other peer
>>> compares the received policies with it's local policies starting from
>>> highest to lowest priority. The first match it picked up.
>>>
>>>
>>> With regards
>>> Kings
>>>
>>> On Wed, Mar 2, 2011 at 3:27 PM, Serious CCIE <[email protected]>wrote:
>>>
>>>> Folks,
>>>> I was wondering, how does the tunnel decide which crypto isakmp policy to
>>>> pickup?
>>>> in other words, how do we marry ISAKMP profile with end points?
>>>>
>>>> Let's say this is my scenario:
>>>>
>>>> R1----R2
>>>>
>>>>
>>>>
>>>>
>>>> |
>>>> |
>>>> R3
>>>>
>>>> 1. Both R2 and R3 connects to R1.
>>>> 2. R2 want to pick policy with 3DES
>>>> 3. R3 want to pick policy with DES
>>>>
>>>> Typically, all the example that I came across have the matching policy
>>>> number in this scenario with ISAKMP policy.
>>>>
>>>>
>>>>
>>>>
>>>> in this case R2 will be configured with "cry isakmp policy 100" and R3
>>>> will be configured "cry isakmp policy 200".
>>>>
>>>> Is that assumption correct? or there is a criteria re how does it pick up?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On R1:
>>>> -------
>>>> crypto isakmp policy 100
>>>> encr 3des
>>>> <------------------ 3DES
>>>> hash md5
>>>> authentication pre-share
>>>> group 2
>>>>
>>>> crypto isakmp policy 200
>>>> encr des <--------------------Just DES
>>>> hash md5
>>>> authentication pre-share
>>>> group 1 <---Group1
>>>>
>>>>
>>>> what is the tie breaker?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
