[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 479
  • Last Modified:

What is a crypto isakmp policy and why should I need more than one ?

Hi !

I have 4 "crypto isakmp policy" in my configuration but only one transform-set (crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac)

why should I need more than one policy ?

Also what is the meaning of "group 2" into a policy ?

I use site-to-site vpn and Cisco VPN client (I guess it's IPSEC) in an hub and spoke infrastructure.

Thank You !

2 Solutions
Rubicon2009Author Commented:
Also what is the difference between "encr 3des" and "hash md5" ?
Both are in different policy.
QlemoC++ DeveloperCommented:
ISAKMP is the protocol used to exchange keys and other encryption parameters for the IPSec VPN. It translates into "Phase 1 settings" on other devices.
IPSEC corresponds to "Phase 2".
So that are different proposals for different phases of the negotiation and data exchange happening with an IPSec tunnel.

"Group 2" refers to Diffie-Hellman Group 2 (DH-2, 1024 bits), which is a protocol used for securing the exchange of encryption parameters ((re)negotiation of keys and initial vector and some other encryption related stuff) for both phases. It is optional, but recommended (at least in Phase 1), to make some kinds of interception by attackers impossible. Some more explanation can be found in the Wiki (http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange).

A hash like MD5 (not recommended) or SHA-1 / SHA-256 is a content-generated value to authenticate the packet contents. It is like signing with a unique signature, making sure the packet is both unchanged and really originated from the communication partner. A hash is (usually) not reversable, that is you cannot get back the content if you see the hash'd byte stream only.

Encryption is used to make the content secret (but not secure). Encrypted traffic should not be decodable without having the encryption key available - and with IPSec that key is exchanged in a complicated way, and changed every now and then (time or traffic based). The key is never exchanged in plain, by the way.
A simple encryption algorithm would be to just shift each letter by one, or by an offset determined from a common phrase. IPSec keys are much, much more than that, of course.
Common encryption algorithms used in IPSec VPN are 3DES and AES.
why should I need more than one policy ?

You dont if you are configuring both endpoints of your vpn setup. You choose what you want your setup to be and implement.

I'm in the situation where I have several site-to-site vpns where I control both ends, and a couple of vpns to sites not controlled by me requiring different encryption policies.
Istvan KalmarCommented:

If you use older VPN clients you need to use different policy groups, so thats why you use more policy groupĆ¼ than one!

Best regards,

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now