cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
1
Replies

How does Crypto Map knows which ISAKMP Policy to use?

ip access-list extended ACL_SITE1_TO_SITE2
 permit ip 10.0.12.0 0.0.0.255 10.0.22.0 0.0.0.255
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 14
crypto isakmp policy 20
 encr aes 256
 hash sha512
 authentication pre-share
 group 16
crypto isakmp key cisco123 address 200.0.2.2
!
crypto ipsec transform-set [TRANS_SET]PHASE_2 esp-aes esp-sha256-hmac
 mode tunnel
!
crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2 11 ipsec-isakmp
 set peer 200.0.2.2
 set transform-set [TRANS_SET]PHASE_2
 match address ACL_SITE1_TO_SITE2
!
interface FastEthernet0/0
 ip address 200.0.1.1 255.255.255.0
 crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2

 

How does Crypto Map knows which ISAKMP Policy to use, or to use the ISAKMP Policy at all?

Is it from "ipsec-isakmp"?

I mean... I don't see any "set isakmp policy 10" in the Crypto Map

Does it just choose from top-down approach?

 

 

 

1 Accepted Solution

Accepted Solutions

thiland
Participant
Participant

That's part of the phase 1 negotiation and is a top down proposal based on sequence number.  You can get details during tunnel setup using:

debug crypto  isakmp

 

Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults.  The new defaults are strong, although I still like to configure them myself.

View solution in original post

1 Reply 1

thiland
Participant
Participant

That's part of the phase 1 negotiation and is a top down proposal based on sequence number.  You can get details during tunnel setup using:

debug crypto  isakmp

 

Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults.  The new defaults are strong, although I still like to configure them myself.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: