Re: PIX and isakmp policy

johnleeee · ‎08-11-2004

Hi fellows,

I have question about isakmp policy on PIX firewall.

When I want to set up isakmp policy I use for example..

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

and there is also default one.

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

And my question is : when policy on one PIX is isakmp policy 10 and another PIX (on opposite side) has policy set to other values in isakmp(so there will be no match in values set in isakmp policies).

If both use default policy and VPN succeed or no.

When yes , why set up same policy to create when there is default.

Im very interested in this problem so any answer

very appreciate.

reg

jl

mostiguy · ‎08-11-2004

Both sides need to have matching policies. The numerical values only indicate preference - the lower values are tried first. If one side is configure for only 3des, and the other AES, they will never bring up a tunnel.

The only parameter that does not need to match is isakmp lifetime, as the tunnel that is negotiated will just support the lowest value of the two proposed

johnleeee · ‎08-11-2004

Hi boy,

when I put command sh isakmp policy there

is default policy. And I know that both sides

have to be configured to match policies.

My question is when there is no match if my VPN

will be set up with defaults ones or no.

rg

jl