How to force Remote VPN client to use different ISAKMP policy

Unanswered Question
Oct 27th, 2008
User Badges:
  • Gold, 750 points or more

Hi All,


Cisco ASA5510 with IOS 8.0.4 acting as EZVPN server for clients with ASA5505 h/w to connect to enterprise n/w. Everything works great. The client uses the following ISAKMP policy:

************************

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

****************************

Iam planning to add configs to the ASA5510 so that it also acts as RA VPN servers.Users laptops installed with Cisco VPN cleint sw:4.8. I want to add another ISKMP policy :

*******************************

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

*******************************

But how can I force the remote dial-in client to use the second isakmp policy..? Is it possible or do I need to go with same policy (#1) and can use different IKE/Transform-set).


Please suggest.


Thank you in advance

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
ajagadee Mon, 10/27/2008 - 12:22
User Badges:
  • Cisco Employee,

Hello MS,


It is my understanding that ISAKMP Policies are evaluated in order of priority, looking for the first match and there is no way to associate a policy to one specific EzVPN Client or RA Users.


Having said that, I would configure my preferred policy with the top priority and go from there.


Please do share your thoughts or any workaround that you come across. Thanks!!


Regards,

Arul


*Pls rate if it helps*

mvsheik123 Thu, 10/30/2008 - 10:16
User Badges:
  • Gold, 750 points or more

Thank you Joe.. but looks like this doc gives information creating different ISAKMP for for different kind of connectivity (remote, L2l). But both the Ezvpn cleints & Remote access clients considered as remote access clients, Iam wondering the steps helps my scenario. Please clarify, if I miss anything.


Thank you

MS

Actions

This Discussion