Branch Office to Head office connectivity

Unanswered Question
Oct 6th, 2008

Dear Friends,

Both Head Office and Branch Office have Cisco IOS routers running GRE over IPSec VPN's on their primary links. The IPSec VPN is certificate based. For backup link (ISDN), it has been decided to go for IPSec VPN's again with pre-shared keys.

Both the primary and backup ISDN links terminate on the same router in Head Office as well as Branch office.

The Head office is 3800 series router and Branch office end is 2800 series router.

The problem is in the ISAKMP policies.

If i have one ISAKMP policy on the router for Certificate Based vpn and the other for Pre shared keys, how do i define that the primary interface always initiates a Certificate VPN and the secondary ISDN interface always initiates a pre-shared key VPN?

In other words, is it possible to define which isakmp policy takes effect on a per interface basis?

Please note that both primary and backup links terminate on the same router. If it was a different router, i know that it would have been easily achieved.

Please find enclosed the config of the BO router for your reference.

Looking forward for some help on this.

Thanks a lot

Gautam

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Fri, 10/10/2008 - 07:27

The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile.

Refer the followin gurl for more information about the configuration:

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cert_isakmp_map_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047091

Actions

This Discussion