Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
4
Replies

IOS IPSEC - Manual ISAKMP

tckoon
Level 1
Level 1

‎11-28-2003 08:06 AM - edited ‎02-21-2020 12:53 PM

Hi,

I configured IPSEC VPN between 2 sites with ISAKMP turn off. Currently it works, but the problem is only the access-list sequence number one is bind to the IPSEC

, subsequent number of the access-list 121 does not appear on IPSEC, when I perform show crypto ipsec sa. Why ? Normally if using dynamic ISAKMP, we can see all the source and destination defind on te access-list. ??

When perform the ping test I can only ping from 192.168.7.0 network to 172.17.1.0 hosts, not other.

If I remove the first sequence , then from 192.168.8.0 can ping to 172.17.1.0 hosts.

Eg.

access-list 121 permit ip 192.168.7.0 0.0.0.255 172.17.1.0 0.0.0.255

access-list 121 permit ip 192.168.8.0 0.0.0.255 172.17.1.0 0.0.0.255

access-list 121 permit ip 193.168.1.0 0.0.0.255 172.17.1.0 0.0.0.255

Labels:
0 Helpful
4 Replies 4

Harold Ritter
Cisco Employee
Cisco Employee

‎11-28-2003 03:31 PM

This is a restriction of using ipsec-manual. You can only specify one line in the ACL the subsequent lines are ignored.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful

tckoon
Level 1
Level 1
In response to Harold Ritter

‎11-29-2003 03:50 AM

Thanks for the answer.

Another question is if I have same router/interface/crypto map. Is it possible I build IPSEC to one site with Manual ISAKMP and another site with auto ISAKMP ?

If possible how and can you provide the config.

Many Thanks.

0 Helpful

tckoon
Level 1
Level 1
In response to Harold Ritter

‎11-29-2003 03:57 AM

Thanks for the answer.

Another question is if I have same router/interface/crypto map. Is it possible I build IPSEC to one site with Manual ISAKMP and another site with auto ISAKMP ?

If possible how and can you provide the config.

Many Thanks.

0 Helpful

nihal.akbulut
Level 1
Level 1
In response to tckoon

‎12-01-2003 12:42 AM

yes, you can. you can one long crypto map with different sequence numbers and you can use which method you want for each part of this crypto map. For example;

crypto map test 10 ipsec-manual

set peer ...

match adddres ...

...

crypto map test 20 ipsec-isakmp

set peer ...

match adddres ...

...

for manual ipsec a sample configuration;

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

hope this helps..

0 Helpful
Customers Also Viewed These Support Documents