Re: [OSL | CCIE_Security] Multiple isakmp policies selection criteria

Thu, 03 Mar 2011 07:18:41 -0800 

When you configure a policy the defaults are removed.  You can see from
doing a show crypto isakmp policy.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto:  <mailto:[email protected]> [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: [email protected]
[mailto:[email protected]] On Behalf Of Serious CCIE
Sent: Thursday, March 03, 2011 8:35 AM
To: Jerome Dolphin
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] Multiple isakmp policies selection
criteria

 

Jerome,

>>there could still be a match between default isakmp policies.>

that was exactly my point. How do we protect this from happening (choosing
default policy).



On Thu, Mar 3, 2011 at 9:35 PM, Jerome Dolphin <[email protected]> wrote:

Also,

If there is no match between the user-defined isakmp policies, there could
still be a match between default isakmp policies. On a 12.4(15)T router with
no user-defined isakmp config there is already an isakmp policy built into
the IOS:

------------------------------------------
Router#show crypto isakmp policy

Global IKE policy
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit
keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Router#
------------------------------------------

The later versions of IOS have multiple built in policies:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_s3.html#w
p1164552


Cheers : )
Jerome

 

 


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to