What is ISAKMP and do I need it?

Posted on 2012-09-04
Last Modified: 2012-09-04
After running a vulnerability scan on my Cisco 1921 router (IOS device) I got the following message back:

ISAKMP Allows Weak IPsec Encryption Settings

Apparently this service uses UDP on port 500. Can anyone tell me what it's for, why I need it or if I need it?

Additionally, if I do need it how do I change the setting to set strong encryption? If I don't need it how do I disable it?

I'm still fairly green when it comes to configuring a Cisco router so please pretend I'm dumb (not much of a stretch really).
Question by:Russ Suter
    LVL 7

    Expert Comment

    its for key exchange when setting up IPSEC VPN.  So if you use VPN on that router, then yes you need it.  If you dont, then you can probably disable.

    This vulnerability shows up a lot on scanners - and it is usually a false positive.  see my answer to this question for an explanation:
    LVL 37

    Accepted Solution

    ISAKMP is a key management and exchange protocol. It's used to allow devices to exchange key information for encryption. Using it isn't the problem. The problem is that your configuration is allowing weak keys to be generated and used through ISAKMP. should give you a good overview of ISAKMP. There's a section devoted to ISAKMP configuration you'll want to look at particularly. I'm not a Cisco guy, so I can't give you specific instructions, but you'll want to make sure that your devices are configured so that DES is not allowed. Cisco devices use 3DES by default, so this isn't a huge problem (DES was cracked 16 years ago, 3DES is still marginally secure. Use AES if you can).

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Cisco AnyConnect License 3 46
    MPLS VRF bridging 4 31
    Cisco ACS TACACS 2 21
    Setup ADSL modem with Router 7 21
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now