How to force Remote VPN client to use different ISAKMP policy

Unanswered Question
Oct 27th, 2008
User Badges:
  • Gold, 750 points or more

Hi All,

Cisco ASA5510 with IOS 8.0.4 acting as EZVPN server for clients with ASA5505 h/w to connect to enterprise n/w. Everything works great. The client uses the following ISAKMP policy:


crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400


Iam planning to add configs to the ASA5510 so that it also acts as RA VPN servers.Users laptops installed with Cisco VPN cleint sw:4.8. I want to add another ISKMP policy :


crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400


But how can I force the remote dial-in client to use the second isakmp policy..? Is it possible or do I need to go with same policy (#1) and can use different IKE/Transform-set).

Please suggest.

Thank you in advance


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
ajagadee Mon, 10/27/2008 - 12:22
User Badges:
  • Cisco Employee,

Hello MS,

It is my understanding that ISAKMP Policies are evaluated in order of priority, looking for the first match and there is no way to associate a policy to one specific EzVPN Client or RA Users.

Having said that, I would configure my preferred policy with the top priority and go from there.

Please do share your thoughts or any workaround that you come across. Thanks!!



*Pls rate if it helps*

joe@affirmedsys... Mon, 10/27/2008 - 12:45
User Badges:
  • Bronze, 100 points or more

You can actually match members of a vpn group and assign phase 1 attributes by using iskamp profiles.

i suspect this tech doc will clear things up for you. let me know if you would like to see a sample config and i'll work something together for you.


mvsheik123 Thu, 10/30/2008 - 10:16
User Badges:
  • Gold, 750 points or more

Thank you Joe.. but looks like this doc gives information creating different ISAKMP for for different kind of connectivity (remote, L2l). But both the Ezvpn cleints & Remote access clients considered as remote access clients, Iam wondering the steps helps my scenario. Please clarify, if I miss anything.

Thank you



This Discussion