cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4675
Views
0
Helpful
4
Replies
Mahdi Ebrahim
Beginner

How to disable ISAKMP default policy on Cisco 2800 router

I am having an audit point asking me to disable or remove the default ISAKMP policy on my router. I tried to do that, but I received an error that the command is not supported as below:

33.png

If this is not possible on my router which has an IOS version:

34.jpg

So, is it possible to upgrade my router's IOS to the latest version to resolve this issue, which is:

"c2800nm-advsecurityk9-mz.151-4.M6"

If this also will not solve my problem, could I have a formal document from CISCO that on my router it's not supported "disabling the ISAKMP default policy.

I would really appreciate your reply guys.

Thanks in advance,

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Ebrahim,

The version 15.1(4)M6 do support the command "no crypto isakmp default policy".

Before executing "no crypto isakmp default policy".

:

router#sh cry isakmp default policy

Default IKE policy

Default protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

.

.

.skipped output

After:

router(config)#no cry isakmp default policy

router #sh cry isakmp default policy

router#sh cry isa policy

Global IKE policy

*****

If you upgrade , you should be ale to remove default isakmp policy.

Thanks

Santhosh

View solution in original post

4 REPLIES 4
Santhosha Shetty
Cisco Employee

Hi Ebrahim,

The command "no crypto isakmp default policy" was intriduced in 12.4(20)T.  Look for "crypto isakmp default policy" section int he following doc.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1051491.

151-4.M6 does have this command:

route(config)r #sh ver

Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.1(4)M6, DEVELOPMENT TEST SOFTWARE

router(config)#no crypto isakmp default policy ?

 

Thanks,

Santhosh

Thanks Santhosha Shetty for your reply, so could I upgrade my router to this IOS "c2800nm-advsecurityk9-mz.151-4.M6"? and if so, would that will remove/disable the default protection suite, i.e. when I issue the command "show srypto isakmp policy", I won't see the default in below image (which has a 56-bit encryption):

Please advice.

Hi Ebrahim,

The version 15.1(4)M6 do support the command "no crypto isakmp default policy".

Before executing "no crypto isakmp default policy".

:

router#sh cry isakmp default policy

Default IKE policy

Default protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

.

.

.skipped output

After:

router(config)#no cry isakmp default policy

router #sh cry isakmp default policy

router#sh cry isa policy

Global IKE policy

*****

If you upgrade , you should be ale to remove default isakmp policy.

Thanks

Santhosh

benjaxmin86
Beginner

Another solution would be by creating a costume policy. Once created it will automatically remove the default ones. 

 

Hopes the above helps!

Create
Recognize Your Peers
Content for Community-Ad