crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
crypto isakmp policy [priority]When to Use This Command
- Setting up a site-to-site VPN between two branch offices using pre-shared keys.
- Configuring a remote access VPN for mobile workers with certificate-based authentication.
- Establishing a VPN tunnel to a cloud provider (e.g., AWS VPN) with matching IKE parameters.
- Upgrading an existing VPN policy to use stronger encryption (e.g., AES-256) for compliance.
Command Examples
Create ISAKMP policy with pre-shared key and AES-256
crypto isakmp policy 10crypto isakmp policy 10 encr aes 256 authentication pre-share group 14 lifetime 86400
Policy priority 10 is created. 'encr aes 256' sets encryption to AES-256. 'authentication pre-share' uses pre-shared keys. 'group 14' sets Diffie-Hellman group 14 (2048-bit). 'lifetime 86400' sets the SA lifetime to 86400 seconds (24 hours).
View configured ISAKMP policies
show crypto isakmp policyGlobal IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys)
hash algorithm: Secure Hash Standard (SHA-512)
authentication method: Pre-Shared Key
Diffie-Hellman group: #14 (2048 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard (SHA-1)
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limitThe output shows the configured policy (priority 10) with AES-256, SHA-512, pre-shared key, DH group 14, and 86400s lifetime. The default policy uses weak DES, SHA-1, RSA signatures, DH group 1 (768-bit), and same lifetime. For CCNA, note that default is weak and should be replaced.
Understanding the Output
The 'show crypto isakmp policy' command displays all configured ISAKMP policies in order of priority (lower number = higher priority). Each policy shows encryption algorithm (e.g., DES, 3DES, AES), hash algorithm (MD5, SHA-1, SHA-256, etc.), authentication method (pre-share, rsa-sig, dsa-sig), Diffie-Hellman group (1, 2, 5, 14, etc.), and lifetime in seconds. The default policy is always present with weak settings. In a real network, you should ensure policies match between peers; mismatched parameters cause VPN negotiation failure. Good values: AES-256, SHA-256 or higher, DH group 14 or higher, pre-shared key or certificates. Bad values: DES, MD5, DH group 1. Watch for 'no volume limit' which is normal; volume-based lifetime is rarely used.
CCNA Exam Tips
CCNA exam tip: Remember that lower priority number means higher priority; policy 10 is preferred over policy 20.
CCNA exam tip: Default ISAKMP policy uses DES and MD5/SHA-1; you must configure a stronger policy for security.
CCNA exam tip: The 'group' command sets Diffie-Hellman group; group 14 (2048-bit) is commonly tested.
CCNA exam tip: Lifetime is in seconds; default 86400 (24 hours). Shorter lifetimes increase security but cause more frequent renegotiation.
Common Mistakes
Mistake: Forgetting to configure the same ISAKMP policy parameters on both VPN peers, causing negotiation failure.
Mistake: Using a weak encryption (DES) or hash (MD5) that is not secure and may be rejected by modern peers.
Mistake: Setting a very short lifetime (e.g., 120 seconds) causing excessive rekeying and CPU load.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto map [name] [seq] ipsec-isakmp
Creates or modifies a crypto map entry for IPsec VPN configuration, defining the security policies and peer parameters for IKE and IPsec negotiations.
show crypto isakmp sa
Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions