04-17-2015 11:15 PM
ip access-list extended ACL_SITE1_TO_SITE2 permit ip 10.0.12.0 0.0.0.255 10.0.22.0 0.0.0.255 ! crypto isakmp policy 10 encr aes hash sha256 authentication pre-share group 14 crypto isakmp policy 20 encr aes 256 hash sha512 authentication pre-share group 16 crypto isakmp key cisco123 address 200.0.2.2 ! crypto ipsec transform-set [TRANS_SET]PHASE_2 esp-aes esp-sha256-hmac mode tunnel ! crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2 11 ipsec-isakmp set peer 200.0.2.2 set transform-set [TRANS_SET]PHASE_2 match address ACL_SITE1_TO_SITE2 ! interface FastEthernet0/0 ip address 200.0.1.1 255.255.255.0 crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2
How does Crypto Map knows which ISAKMP Policy to use, or to use the ISAKMP Policy at all?
Is it from "ipsec-isakmp"?
I mean... I don't see any "set isakmp policy 10" in the Crypto Map
Does it just choose from top-down approach?
Solved! Go to Solution.
04-20-2015 09:05 AM
That's part of the phase 1 negotiation and is a top down proposal based on sequence number. You can get details during tunnel setup using:
debug crypto isakmp
Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults. The new defaults are strong, although I still like to configure them myself.
04-20-2015 09:05 AM
That's part of the phase 1 negotiation and is a top down proposal based on sequence number. You can get details during tunnel setup using:
debug crypto isakmp
Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults. The new defaults are strong, although I still like to configure them myself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide