Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: IPsec ISAKMP Policy and Crypto map config

IPsec ISAKMP Policy and Crypto map config 7 years 11 months ago #36729

  • skylimit
  • skylimit's Avatar Topic Author
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 158
  • Thank you received: 1
Hi Guys,

I'm hoping someone could clarify this for me

I believe it is possible to have different crypto isakmp policies for different connections based on needs, different security parameters supported different devices, etc.

My question is how is a specific policy applied to a specifi peer? Sample config below should make my question a bit clearer I hope.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp policy 2
encr aes 256
authentication pre-share
lifetime 28800

The first policy clearly uses a different security parameter from the second one, thus if I needed to set up an IPsec connection using the first policy, how would apply/refer to it in the crypto map if this makes sense. Would it be something like:

crypto map TestMap 1 ipsec-isakmp --
set peer
set transform-set setname
match address 101

Does this use the first policy 1 above?

crypto map TestMap 2 ipsec-isakmp --
set peer
set transform-set setname
match address 101
Does this use the first policy 2 above?

Also, how can you check what one is being used? Which show crypto commands?
Any contributions will be much appreciated.

" are never too old to learn" anon

Re: IPsec ISAKMP Policy and Crypto map config 7 years 11 months ago #36753

  • rizin
  • rizin's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 203
  • Thank you received: 0

There is something called Phase 1 and Phase 2 in VPN Connections. I will write some few mothods which normally followed however it may or may not varies with other individual devices.

Phase 1.

1. Specify Local VPN Gateway and Remote VPN Gateway.

2. Main mode or Aggresive mode
A) Main mode peers exchange identies with encryption.
B) Aggresive mode exchange identities without encryption but faster.

3. Specify Nat-Traversal.
A) Specify Need peers to use IKE Keep-alive - ensures if VPN Gateways's interface not responding it will failover to the second interface. This is true when ISP goes down and your secondary interface is backed up.

4. Transform set.
A)here choose encryption, authentication and how long security association(SA) last.
b)for authentication use Sha1 OR MD5. Sha 1 is the strongest authentication.
c) Specify Diffie-hellman key group.

Phase 2.

Using Quick mode establish IPSec SA.
1. specify IP Address, Network Address or IP Address range. which access to your internal network. either from home or office to access resources behind the VPN Gateway.

2. Choose to use PFS (Perfect forward secrecy)
3. Select ESP or AH and plus you use Diffie-hellman key group also here.
4. Specify a value when the key expire.

For your encrytion you can select DES, 3DES or AES 128, 192, 256 bit key strength. AES is the strongest protocol.


Known is a drop, unknown is an Ocean
  • Page:
  • 1
Time to create page: 0.099 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup