Re: Sequence change on Crypto policy

joseph.pj · ‎03-03-2020

hi all

i have multiple crypto policies defined on my cisco router(Version 12.4(3c). i wanted to change the sequence of one policy from policy no.6 to policy no.1 . how to change the sequence of a policy? If we change the sequence, will impact on current VPN tunnels as multiple VPN tunnels are configured on this router. below my current policies on my router. Appreciate your help;

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 3
hash md5
authentication pre-share
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 6
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2

Richard Burts · ‎03-03-2020

If you change the configuration and the parameters that are currently used in 6 become the parameters in 1, then what happens to the parameters that are currently in 1? I have not done this type of change and so can not speak from experience. But I would think that the policy parameters are referred to when a vpn tunnel is actively doing its negotiation. So I would think that changing the policy would not impact tunnels that have completed their negotiation and are up and running. But it would be wise to schedule a maintenance window and make these changes in the maintenance window.

HTH

Rick

joseph.pj · ‎03-03-2020

If you change the configuration and the parameters that are currently used in 6 become the parameters in 1, then what happens to the parameters that are currently in 1?

Ans: we can create a new policy same for Policy 1 with a higher number sequence.

Thanks for your advice. still i have to change the sequence and aes 256 i need to make it in high priority

Cristian Matei · ‎03-03-2020

Hi,

1. Those policies are needed only when a new IKE tunnel needs to be established. In order to not get unlucky and have a tunnel negotiation happening exactly when you want to do the changes, you gotta apply all changes at once:

this is your current policy:

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 6

encr aes 256

authentication pre-share

group 5

paste this on the router:

!

crypto isakmp policy 6

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

2.Not sure of the reason you're doing this, but you've got to know that now your new ISAKMP policy 1 will be preferred for IKE negotiations due to the lowest priority.

Regards,

Cristian Matei.

joseph.pj · ‎03-03-2020

Hi Christian thanks for the advice.

2.Not sure of the reason you're doing this, but you've got to know that now your new ISAKMP policy 1 will be preferred for IKE negotiations due to the lowest priority.

Ans: i have a vpn tunnel with 3des (Policy 1) and now it got changed to aes 256 with Group 5 (Policy 6)

after the changes the phase1 is still lokking into 3des, where as Phase2 is working as expected and it takes Aes 256 from policy6. now i wanted to move the Policy6 ie, aes 256 with group5 to higher priority ie, policy no.1, so my changes on the tunnel with work on Phase1 with aes 256. hope you understood the requirement and why i need to do the sequence change on policy

thanks

Joseph