crypto isakmp policies....illogical or what??

Discussion in 'Cisco' started by Rafael, May 28, 2004.

  1. Rafael

    Rafael Guest

    I am hoping that someone will be able to explain the following because
    to me it is completely illogical:

    I have 1 Cisco 1710 router running IOS version 12.2 and 3 Cisco 831
    routers also running IOS version 12.2.

    There are site-to-site VPNs (IKE/IPSec) configured between each 831
    and the 1710. 2 of the 831 routers also have remote access VPNs
    configured so these have 2 crypto isakmp policies configured on each -
    policy 1 (for remote access with 3des, md5, auth pre-share, group 2)
    and policy 2 (for site-to-site with 3des, md5, auth rsa-sig, group 1,
    lifetime 10800). The 1710 has only one policy configured for the
    site-to-site VPNs (crypto isakmp policy 1 with 3des, md5, auth
    rsa-sig, group 1, lifetime 10800).

    My understanding is that the router which initiates the tunnel sends
    out it's own policy to the peer and works its way through the policies
    on the remote peer in order of priority until it finds a match.

    On the third router (which has site-to-site VPN configured only), I
    configured crypto isakmp policy 1 to match crypto isakmp policy 1 on
    the 1710. I could not get this to work. Since the only difference
    between all three 831 router configs was the site-to-site VPN policy
    number, I changed the policy number to 2 on the third router (not
    really thinking it should make any difference!). The tunnel then came
    up.

    If there is only 1 policy on each router and they match, why on earth
    should the priority number make any difference???

    Please explain! Am I missing something obvious?
     
    Rafael, May 28, 2004
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.