Solved: How does Crypto Map knows which ISAKMP Policy to use?

Andrew Xue Zheng Lay · ‎04-17-2015

ip access-list extended ACL_SITE1_TO_SITE2
 permit ip 10.0.12.0 0.0.0.255 10.0.22.0 0.0.0.255
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 14
crypto isakmp policy 20
 encr aes 256
 hash sha512
 authentication pre-share
 group 16
crypto isakmp key cisco123 address 200.0.2.2
!
crypto ipsec transform-set [TRANS_SET]PHASE_2 esp-aes esp-sha256-hmac
 mode tunnel
!
crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2 11 ipsec-isakmp
 set peer 200.0.2.2
 set transform-set [TRANS_SET]PHASE_2
 match address ACL_SITE1_TO_SITE2
!
interface FastEthernet0/0
 ip address 200.0.1.1 255.255.255.0
 crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2

How does Crypto Map knows which ISAKMP Policy to use, or to use the ISAKMP Policy at all?

Is it from "ipsec-isakmp"?

I mean... I don't see any "set isakmp policy 10" in the Crypto Map

Does it just choose from top-down approach?

thiland · ‎04-20-2015

That's part of the phase 1 negotiation and is a top down proposal based on sequence number. You can get details during tunnel setup using:

debug crypto isakmp

Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults. The new defaults are strong, although I still like to configure them myself.

View solution in original post

thiland · ‎04-20-2015

That's part of the phase 1 negotiation and is a top down proposal based on sequence number. You can get details during tunnel setup using:

debug crypto isakmp

Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults. The new defaults are strong, although I still like to configure them myself.