Hello guys,

I just configured an IPsec Site-to-Site VPN on the following topology in GNS3:

All configs are OK on both routers and test pings show that the VPN tunnel is working correctly.

My question would be, why do the routers use the self-configured Phase1 policies (with priority of 2 on both routers) instead of using the default one (with priority of 1)?

If I'm right, lower priority values have higher priority here.

R1#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 2
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 600 seconds, no volume limit

Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

As I mentioned, user traffic is using the appropriate Phase2 tunnels in both directions:

R1#show crypto engine connections active

ID      Interface      IP-Address     State      Algorithm     Encrypt     Decrypt
2001  Serial0/0        23.0.0.1         set    AES256+SHA      0               48
2002  Serial0/0        23.0.0.1         set    AES256+SHA     49               0

Do you have any idea?

Thanks in advance!