How to force Remote VPN client to use different ISAKMP policy

Unanswered Question
Oct 27th, 2008
User Badges:
  • Gold, 750 points or more

Hi All,


Cisco ASA5510 with IOS 8.0.4 acting as EZVPN server for clients with ASA5505 h/w to connect to enterprise n/w. Everything works great. The client uses the following ISAKMP policy:

************************

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

****************************

Iam planning to add configs to the ASA5510 so that it also acts as RA VPN servers.Users laptops installed with Cisco VPN cleint sw:4.8. I want to add another ISKMP policy :

*******************************

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

*******************************

But how can I force the remote dial-in client to use the second isakmp policy..? Is it possible or do I need to go with same policy (#1) and can use different IKE/Transform-set).


Please suggest.


Thank you in advance

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
ajagadee Mon, 10/27/2008 - 12:22
User Badges:
  • Cisco Employee,

Hello MS,


It is my understanding that ISAKMP Policies are evaluated in order of priority, looking for the first match and there is no way to associate a policy to one specific EzVPN Client or RA Users.


Having said that, I would configure my preferred policy with the top priority and go from there.


Please do share your thoughts or any workaround that you come across. Thanks!!


Regards,

Arul


*Pls rate if it helps*

joe@affirmedsys... Mon, 10/27/2008 - 12:45
User Badges:
  • Bronze, 100 points or more

You can actually match members of a vpn group and assign phase 1 attributes by using iskamp profiles.


i suspect this tech doc will clear things up for you. let me know if you would like to see a sample config and i'll work something together for you.


-Joe


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

mvsheik123 Thu, 10/30/2008 - 10:16
User Badges:
  • Gold, 750 points or more

Thank you Joe.. but looks like this doc gives information creating different ISAKMP for for different kind of connectivity (remote, L2l). But both the Ezvpn cleints & Remote access clients considered as remote access clients, Iam wondering the steps helps my scenario. Please clarify, if I miss anything.


Thank you

MS

Actions

This Discussion