Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5672
Views
0
Helpful
2
Replies

Disable ISAKMP Default Policy?

Go to solution
anthony.charles
Level 1
Level 1

‎08-09-2010 08:09 AM

Is there any way to disable or change the ISAKMP default policy?  I have created policy number 20 which is used in a site-to-site VPN but during a PCI quarterly scan the results come back failed to due to successful phase 1 authentication with DES/DH768 encryption.  I have reproduced those results using ike-scan with explicit DES/DH768 settings.

This is a 2600 Router, and I just upgraded the IOS to 12.4(23) because I came across Cisco documentation (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html) that says 12.4(20) introduced the 'no crypto isakmp default policy' - but I don't see that command available to me still.  Below are results of sh crypto isakmp policy:

Protection suite of priority 20

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Any help would be greatly appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Lorentzen
Cisco Employee
Cisco Employee

‎08-11-2010 11:34 AM

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Craig Lorentzen
Cisco Employee
Cisco Employee

‎08-11-2010 11:34 AM

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

0 Helpful

Go to solution
anthony.charles
Level 1
Level 1
In response to Craig Lorentzen

‎08-16-2010 12:32 PM

I figured as much, with this router being so old but was hoping that wasn't the case.  Thanks for your reply and answering my question!

0 Helpful
Customers Also Viewed These Support Documents