| Author |
crypto isakmp policy <pol#> vs crypto map <mname> <sqn#>
|
|
| akinghari 2003-10-01, 12:18 am |
| Can anyone explain the use of the pol# & sqn#? do they have to be equal to relate IKE with IPSec?
Does the parameters Group in ISAKMP and PFS in IPSec have to be equal if you want to use PFS? As I understand it, PFS is optional but Group by default uses "1".
Lastly, I need last minute tips on SECUR.
Many thanks...... | |
| darthfeces 2003-10-01, 12:40 am |
| isakmp occurs during ipsec phase1
policy# is just an arbitrary # assigned to that policy
crypto-map is used during ipsec phase2 to apply encryption to the tunnel
seq # is just a sequence # assigned to a crypto-map in case you need to execute a series of crypto-maps in a certain order
start from square one or you'll never become un-confused
http://www.cisco.com/en/US/products...00800d981f.html | |
| Zaniix 2003-10-01, 7:11 am |
| PFS and DH group have NOTHING to do with each other as far as the config is concerned.
Don't over complicate things.
Id suggest you get some time on a router or atleast a simulator to see just how this works.
Pol# is just a number it has nothing to do with Pol# on other routers or what Seq# is being used for the Crypto map.
Pol# 1 will be matched before 2 and 2 before 3 etc etc. The same goes for Seq#.
SEQ# is also how you map multiple parameteres for 1 crypto map to a single interface. You would use the same crypto map name, but change the sequene number | |
| akinghari 2003-10-04, 12:44 am |
| According to Thomas Akin in his book Hardening Cisco Routers, Published by O'Reilly.
Chapter 3 Basic Access Control
in the section Protection with IPSec, page 28
He mentioned that to relate the IPSec (Phase 2) with IKE (Phase 1) the seq# must be equal to the Pol#.
This is when the confusion began then I just wondered if the group and PFS exhibit the same characteristics.
Unfortunately, I do not have a spare router at work to experiment with.  |
|
|
|