08-11-2004 03:28 AM - edited 02-20-2020 11:33 PM
Hi fellows,
I have question about isakmp policy on PIX firewall.
When I want to set up isakmp policy I use for example..
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
and there is also default one.
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
And my question is : when policy on one PIX is isakmp policy 10 and another PIX (on opposite side) has policy set to other values in isakmp(so there will be no match in values set in isakmp policies).
If both use default policy and VPN succeed or no.
When yes , why set up same policy to create when there is default.
Im very interested in this problem so any answer
very appreciate.
reg
jl
08-11-2004 06:08 AM
Both sides need to have matching policies. The numerical values only indicate preference - the lower values are tried first. If one side is configure for only 3des, and the other AES, they will never bring up a tunnel.
The only parameter that does not need to match is isakmp lifetime, as the tunnel that is negotiated will just support the lowest value of the two proposed
08-11-2004 06:30 AM
Hi boy,
when I put command sh isakmp policy there
is default policy. And I know that both sides
have to be configured to match policies.
My question is when there is no match if my VPN
will be set up with defaults ones or no.
rg
jl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide