11-04-2010 06:18 AM - edited 03-04-2019 10:22 AM
I use pre-shared keys for authentication, and I have written an automated script for periodically updating (rotating) keys. However, sometimes the rotation fails and I get paged in the middle of the night. So I had an idea:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr aes 256
group 5
crypto isakmp key badkeysecret address 0.0.0.0 0.0.0.0
I was thinking that if the pre-share policy fails, the next policy would be tried. This doesn't seem to be the case. When I test in the lab by putting different pre-shared keys on the peers, I simply get the message "Nov 2 08:50:05.525: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.1.0.1 failed its sanity check or is malformed"
So, policies don't work the way I thought?
Thanks,
Steve
11-04-2010 06:40 AM
I think you are missing the fact that isakmp keys are global configuration commands, not specific to numbered policy entries.
11-04-2010 07:00 AM
Thanks for the response . . . but I don't follow. You're saying the "key" command is global, understood . . . but policy 10 fails because the keys don't match, and policy 20 uses certificates for authentication. You're saying policy 20 wouldn't be tried?
Thanks,
Steve
11-04-2010 07:22 AM
Either have pre-shared, matching keys, or certificates.
Seems reasonable to me.
11-04-2010 07:37 AM
Hahahaha . . . me too. So I wonder why it doesn't work?
Thanks,
Steve
11-04-2010 07:46 AM
Because as you noted, your key mismatches, and no certificate is tried.
Probably WAD.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide