cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5016
Views
0
Helpful
2
Replies
anthony.charles
Beginner

Disable ISAKMP Default Policy?

Is there any way to disable or change the ISAKMP default policy?  I have created policy number 20 which is used in a site-to-site VPN but during a PCI quarterly scan the results come back failed to due to successful phase 1 authentication with DES/DH768 encryption.  I have reproduced those results using ike-scan with explicit DES/DH768 settings.

This is a 2600 Router, and I just upgraded the IOS to 12.4(23) because I came across Cisco documentation (http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html) that says 12.4(20) introduced the 'no crypto isakmp default policy' - but I don't see that command available to me still.  Below are results of sh crypto isakmp policy:

Protection suite of priority 20

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Any help would be greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Craig Lorentzen
Cisco Employee

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

View solution in original post

2 REPLIES 2
Craig Lorentzen
Cisco Employee

Hello Anthony,

I reviewed the link you provided.  It appears that this command was introduced in12.4(20)T...note the T.  This indicates it is only in the T-train or technology train and will only be seen in other 12.4T code or the newert 15.x train.

You say that your router is runnign 12.4(23) implicitly Mainline (M) code.

THe latest T code for 2600 appears to be a 12.4(15)T, so it does not appear that you can enable this feature so as to disable the default policies.  It also looks like the 2600 series has been retired as of March 27th 2010 no new code is being released.

http://www.cisco.com/en/US/products/hw/routers/ps259/prod_eol_notices_list.html

Looks like you may be out of luck and may need to look into purchasing a newer model router to get the latest software support and the ability to disable the default isakmp suite.

Of course, it should be noted that while they may establish an ISKMP session, however, are they really going to be authenticated by the router in MM mesage 5 as most people use internal CAs for Certificates on VPNs.

I hope this helps.

Regards,

Craig

I figured as much, with this router being so old but was hoping that wasn't the case.  Thanks for your reply and answering my question!

Create
Recognize Your Peers
Content for Community-Ad