What is a crypto isakmp policy and why should I need more than one ?

Posted on 2011-10-16
Last Modified: 2012-05-12
Hi !

I have 4 "crypto isakmp policy" in my configuration but only one transform-set (crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac)

why should I need more than one policy ?

Also what is the meaning of "group 2" into a policy ?

I use site-to-site vpn and Cisco VPN client (I guess it's IPSEC) in an hub and spoke infrastructure.

Thank You !

Question by:Rubicon2009

    Author Comment

    Also what is the difference between "encr 3des" and "hash md5" ?
    Both are in different policy.
    LVL 67

    Accepted Solution

    ISAKMP is the protocol used to exchange keys and other encryption parameters for the IPSec VPN. It translates into "Phase 1 settings" on other devices.
    IPSEC corresponds to "Phase 2".
    So that are different proposals for different phases of the negotiation and data exchange happening with an IPSec tunnel.

    "Group 2" refers to Diffie-Hellman Group 2 (DH-2, 1024 bits), which is a protocol used for securing the exchange of encryption parameters ((re)negotiation of keys and initial vector and some other encryption related stuff) for both phases. It is optional, but recommended (at least in Phase 1), to make some kinds of interception by attackers impossible. Some more explanation can be found in the Wiki (

    A hash like MD5 (not recommended) or SHA-1 / SHA-256 is a content-generated value to authenticate the packet contents. It is like signing with a unique signature, making sure the packet is both unchanged and really originated from the communication partner. A hash is (usually) not reversable, that is you cannot get back the content if you see the hash'd byte stream only.

    Encryption is used to make the content secret (but not secure). Encrypted traffic should not be decodable without having the encryption key available - and with IPSec that key is exchanged in a complicated way, and changed every now and then (time or traffic based). The key is never exchanged in plain, by the way.
    A simple encryption algorithm would be to just shift each letter by one, or by an offset determined from a common phrase. IPSec keys are much, much more than that, of course.
    Common encryption algorithms used in IPSec VPN are 3DES and AES.
    LVL 1

    Assisted Solution

    why should I need more than one policy ?

    You dont if you are configuring both endpoints of your vpn setup. You choose what you want your setup to be and implement.

    I'm in the situation where I have several site-to-site vpns where I control both ends, and a couple of vpns to sites not controlled by me requiring different encryption policies.
    LVL 34

    Expert Comment

    by:Istvan Kalmar

    If you use older VPN clients you need to use different policy groups, so thats why you use more policy groupü than one!

    Best regards,

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now