Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
2
Replies

ISAKMP Policy Question

m.lesnick
Level 1
Level 1

‎12-08-2004 04:51 PM

show isakmp policy gives me my out put as follows.

Protection suite of priority 20

encryption algorithm: Three key triple DES

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

How do I disable the default Protection Suite and only allow 3Des ???

Suggestions please..

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-08-2004 07:37 PM

You don't, the default one is always there if ISAKMP is enabled on the router. No point enabling ISAKMP and not having any sort of policy defined.

The default policy is set to use certificates though, and since you're using pre-shared keys then it will never be matched. You would always define whatever policy you want to use (3DES over DES) and it will then always be matched, assuming you have defined it corectly on both sides. The default is a fallback in case none of them match, but unless the other side also requests certificates and DES it will never be used either and ISAKMP will simply fail.

0 Helpful

m.lesnick
Level 1
Level 1
In response to gfullage

‎12-09-2004 04:33 AM

Thanks for the post..

We are going through a QualysGuard Scan and it comes back stating we are using Weak IPSEC Encryption Settings and to disable (56bit) Des.. I do have a policy defined to use only 3Des but the default is still DES..

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map DMZ_Out 20 ipsec-isakmp

crypto map DMZ_Out 20 match address DMZ_Out

crypto map DMZ_Out 20 set peer x.x.x.x

crypto map DMZ_Out 20 set transform-set ESP-3DES-SHA

crypto map DMZ_Out interface outside

isakmp enable inside

isakmp key ******** address x.x.x.x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

Is there a way of disabling the DES feauture and only allow 3Des and to disable the fall back feature?

0 Helpful
Customers Also Viewed These Support Documents