Solved: how to remove the default isakmp policy on a ciso router (3845)

west33637 · ‎04-28-2011

hello all. My company recently failed a PCI scan because our router was returning 56bit des encryption for isakmp negotiation on an existing default isakmp policy. How do I remove this default isakmp policy. I am not running 12.4(15)T1 so the no crypto isakmp policy default does not work. Is there any way other than upgrading the IOS? Any suggestions?

Is there any way to configure a maximum number of isakmp policies that an authenticating router will check? I have 2 configured higher priority ISAKMP policies. Maybe if there is a command to limit the number of isakmp policies the router checks, that would eliminate this default policy being matched?

Thanks.

Jennifer Halim · ‎04-28-2011

Turning off the default isakmp policy is only supported from IOS version 12.4(20)T onwards. Earlier version does not support turning off the default

isakmp policy.

Here is the command for your reference on when it is first released:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1051491

View solution in original post

Jennifer Halim · ‎04-28-2011

Turning off the default isakmp policy is only supported from IOS version 12.4(20)T onwards. Earlier version does not support turning off the default

isakmp policy.

Here is the command for your reference on when it is first released:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1051491