• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 483
  • Last Modified:

What is a crypto isakmp policy and why should I need more than one ?

Hi !

I have 4 "crypto isakmp policy" in my configuration but only one transform-set (crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac)

why should I need more than one policy ?

Also what is the meaning of "group 2" into a policy ?

I use site-to-site vpn and Cisco VPN client (I guess it's IPSEC) in an hub and spoke infrastructure.

Thank You !

2 Solutions
Rubicon2009Author Commented:
Also what is the difference between "encr 3des" and "hash md5" ?
Both are in different policy.
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
ISAKMP is the protocol used to exchange keys and other encryption parameters for the IPSec VPN. It translates into "Phase 1 settings" on other devices.
IPSEC corresponds to "Phase 2".
So that are different proposals for different phases of the negotiation and data exchange happening with an IPSec tunnel.

"Group 2" refers to Diffie-Hellman Group 2 (DH-2, 1024 bits), which is a protocol used for securing the exchange of encryption parameters ((re)negotiation of keys and initial vector and some other encryption related stuff) for both phases. It is optional, but recommended (at least in Phase 1), to make some kinds of interception by attackers impossible. Some more explanation can be found in the Wiki (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange).

A hash like MD5 (not recommended) or SHA-1 / SHA-256 is a content-generated value to authenticate the packet contents. It is like signing with a unique signature, making sure the packet is both unchanged and really originated from the communication partner. A hash is (usually) not reversable, that is you cannot get back the content if you see the hash'd byte stream only.

Encryption is used to make the content secret (but not secure). Encrypted traffic should not be decodable without having the encryption key available - and with IPSec that key is exchanged in a complicated way, and changed every now and then (time or traffic based). The key is never exchanged in plain, by the way.
A simple encryption algorithm would be to just shift each letter by one, or by an offset determined from a common phrase. IPSec keys are much, much more than that, of course.
Common encryption algorithms used in IPSec VPN are 3DES and AES.
why should I need more than one policy ?

You dont if you are configuring both endpoints of your vpn setup. You choose what you want your setup to be and implement.

I'm in the situation where I have several site-to-site vpns where I control both ends, and a couple of vpns to sites not controlled by me requiring different encryption policies.
Istvan KalmarHead of IT Security Division Commented:

If you use older VPN clients you need to use different policy groups, so thats why you use more policy groupü than one!

Best regards,
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now