Using 2 ISAKMP policies, if policy 10 fails, try policy 20

stevejennings · ‎11-04-2010

I use pre-shared keys for authentication, and I have written an automated script for periodically updating (rotating) keys. However, sometimes the rotation fails and I get paged in the middle of the night. So I had an idea:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr aes 256
group 5
crypto isakmp key badkeysecret address 0.0.0.0 0.0.0.0

I was thinking that if the pre-share policy fails, the next policy would be tried. This doesn't seem to be the case. When I test in the lab by putting different pre-shared keys on the peers, I simply get the message "Nov 2 08:50:05.525: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.1 failed its sanity check or is malformed"

So, policies don't work the way I thought?

Thanks,

Steve

paolo bevilacqua · ‎11-04-2010

I think you are missing the fact that isakmp keys are global configuration commands, not specific to numbered policy entries.

stevejennings · ‎11-04-2010

Thanks for the response . . . but I don't follow. You're saying the "key" command is global, understood . . . but policy 10 fails because the keys don't match, and policy 20 uses certificates for authentication. You're saying policy 20 wouldn't be tried?

Thanks,

Steve

paolo bevilacqua · ‎11-04-2010

Either have pre-shared, matching keys, or certificates.

Seems reasonable to me.

stevejennings · ‎11-04-2010

Hahahaha . . . me too. So I wonder why it doesn't work?

Thanks,

Steve

paolo bevilacqua · ‎11-04-2010

Because as you noted, your key mismatches, and no certificate is tried.

Probably WAD.