ip access-list extended ACL_SITE1_TO_SITE2
permit ip 10.0.12.0 0.0.0.255 10.0.22.0 0.0.0.255
crypto isakmp policy 10
crypto isakmp policy 20
encr aes 256
crypto isakmp key cisco123 address 126.96.36.199
crypto ipsec transform-set [TRANS_SET]PHASE_2 esp-aes esp-sha256-hmac
crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2 11 ipsec-isakmp
set peer 188.8.131.52
set transform-set [TRANS_SET]PHASE_2
match address ACL_SITE1_TO_SITE2
ip address 184.108.40.206 255.255.255.0
crypto map [CRYPT_MAP]VPN_SITE1_TO_SITE2
How does Crypto Map knows which ISAKMP Policy to use, or to use the ISAKMP Policy at all?
Is it from "ipsec-isakmp"?
I mean... I don't see any "set isakmp policy 10" in the Crypto Map
Does it just choose from top-down approach?
Go to Solution.
That's part of the phase 1 negotiation and is a top down proposal based on sequence number. You can get details during tunnel setup using:
debug crypto isakmp
Cisco IOS has built-in/default ISAKMP policies, but the pre 15.x versions were terrible defaults. The new defaults are strong, although I still like to configure them myself.
View solution in original post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: