crypto isakmp policies....illogical or what??

Discussion in 'Cisco' started by Rafael, May 28, 2004.

  1. Rafael

    Rafael Guest

    I am hoping that someone will be able to explain the following because
    to me it is completely illogical:

    I have 1 Cisco 1710 router running IOS version 12.2 and 3 Cisco 831
    routers also running IOS version 12.2.

    There are site-to-site VPNs (IKE/IPSec) configured between each 831
    and the 1710. 2 of the 831 routers also have remote access VPNs
    configured so these have 2 crypto isakmp policies configured on each -
    policy 1 (for remote access with 3des, md5, auth pre-share, group 2)
    and policy 2 (for site-to-site with 3des, md5, auth rsa-sig, group 1,
    lifetime 10800). The 1710 has only one policy configured for the
    site-to-site VPNs (crypto isakmp policy 1 with 3des, md5, auth
    rsa-sig, group 1, lifetime 10800).

    My understanding is that the router which initiates the tunnel sends
    out it's own policy to the peer and works its way through the policies
    on the remote peer in order of priority until it finds a match.

    On the third router (which has site-to-site VPN configured only), I
    configured crypto isakmp policy 1 to match crypto isakmp policy 1 on
    the 1710. I could not get this to work. Since the only difference
    between all three 831 router configs was the site-to-site VPN policy
    number, I changed the policy number to 2 on the third router (not
    really thinking it should make any difference!). The tunnel then came
    up.

    If there is only 1 policy on each router and they match, why on earth
    should the priority number make any difference???

    Please explain! Am I missing something obvious?
    Rafael, May 28, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a segal
    Replies:
    0
    Views:
    684
    a segal
    Jan 21, 2004
  2. rmcnutt
    Replies:
    1
    Views:
    11,197
    mcaissie
    Jul 13, 2004
  3. Replies:
    2
    Views:
    3,678
  4. Red Skull

    no crypto isakmp ccm

    Red Skull, Mar 5, 2007, in forum: General Computer Support
    Replies:
    0
    Views:
    3,485
    Red Skull
    Mar 5, 2007
  5. lowfell1

    crypto isakmp policy priority ???

    lowfell1, Oct 10, 2007, in forum: Cisco
    Replies:
    0
    Views:
    1,798
    lowfell1
    Oct 10, 2007
Loading...

Share This Page