The isakmp policy command is a simple command with several options.
In the event that you do not select a specific option, the Security
Appliance will automatically choose a default value. Table 13-1
describes the isakmp policy command parameters.
For example, to configure ISAKMP policies configured for VPN peers,
you would have a configuration similar to this:
LOCAL PIX FIREWALL>>>>>>>>>>>
tgpix(config)# isakmp policy 10 authentication pre-share tgpix(config)#
isakmp policy 10 encryption 3des tgpix(config)# isakmp policy 10 group
2
tgpix(config)# isakmp policy 10 hash md5 tgpix(config)# isakmp policy
10 lifetime 86400 tgpix(config)# isakmp enable outside
Table 13-2 isakmp policy Command Parameters
Parameter Description
priority Allows you to prioritize your ISAKMP policies. Policy priorities
range from 1 to 65,534, with 1 being the highest priority.
authentication pre-share Specifies that the peer authentication method is the preshared key.
This requires that the preshared key be manually configured on
both peers.
authentication rsa-sig Specifies that the peer authentication method is RSA signatures.
This method allows peer authentication to be completed
automatically and is a more scalable solution. This is the default
setting.
encryption des Specifies that the encryption algorithm is DES. This is the default
setting.
encryption 3des Specifies that the encryption algorithm is 3DES.
encryption aes Specifies that the encryption algorithm is AES-128.
encryption aes-192 Specifies that the encryption algorithm is AES-192.
encryption aes-256 Specifies that the encryption algorithm is AES-256.
group 1 Specifies that Diffie-Hellman group 1 (768-bit) is used. This is the
default setting.
group 2 Specifies that Diffie-Hellman group 2 (1024-bit) is used.
group 5 Specifies the Diffie-Hellman group 5 (1536-bit) is used.
hash md5 Specifies that the MD5 hash algorithm is used.
hash sha Specifies that the SHA-1 hash algorithm is used. This is the default
setting.
lifetime Specifies the SA’s lifetime. The range is from 60 seconds to
unlimited. The default setting is 86,400 seconds.
REMOTE PIX FIREWALL>>>>>>>>>>
gonderpix (config)# isakmp policy 10 authentication pre-share gonderpix
(config)# isakmp policy 10 encryption 3des gonderpix (config)# isakmp
policy 10 group 2
gonderpix (config)# isakmp policy 10 hash md5 gonderpix (config)# isakmp
policy 10 lifetime 86400 gonderpix (config)# isakmp enable outside
Note that the policies are the same on both peers; however, it is not a
requirement for the policy number to match on each peer.