Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS IPSEC - Manual ISAKMP

Hi,

I configured IPSEC VPN between 2 sites with ISAKMP turn off. Currently it works, but the problem is only the access-list sequence number one is bind to the IPSEC

, subsequent number of the access-list 121 does not appear on IPSEC, when I perform show crypto ipsec sa. Why ? Normally if using dynamic ISAKMP, we can see all the source and destination defind on te access-list. ??

When perform the ping test I can only ping from 192.168.7.0 network to 172.17.1.0 hosts, not other.

If I remove the first sequence , then from 192.168.8.0 can ping to 172.17.1.0 hosts.

Eg.

access-list 121 permit ip 192.168.7.0 0.0.0.255 172.17.1.0 0.0.0.255

access-list 121 permit ip 192.168.8.0 0.0.0.255 172.17.1.0 0.0.0.255

access-list 121 permit ip 193.168.1.0 0.0.0.255 172.17.1.0 0.0.0.255

  • Other Security Subjects
4 REPLIES
Cisco Employee

Re: IOS IPSEC - Manual ISAKMP

This is a restriction of using ipsec-manual. You can only specify one line in the ACL the subsequent lines are ignored.

New Member

Re: IOS IPSEC - Manual ISAKMP

Thanks for the answer.

Another question is if I have same router/interface/crypto map. Is it possible I build IPSEC to one site with Manual ISAKMP and another site with auto ISAKMP ?

If possible how and can you provide the config.

Many Thanks.

New Member

Re: IOS IPSEC - Manual ISAKMP

Thanks for the answer.

Another question is if I have same router/interface/crypto map. Is it possible I build IPSEC to one site with Manual ISAKMP and another site with auto ISAKMP ?

If possible how and can you provide the config.

Many Thanks.

New Member

Re: IOS IPSEC - Manual ISAKMP

yes, you can. you can one long crypto map with different sequence numbers and you can use which method you want for each part of this crypto map. For example;

crypto map test 10 ipsec-manual

set peer ...

match adddres ...

...

crypto map test 20 ipsec-isakmp

set peer ...

match adddres ...

...

for manual ipsec a sample configuration;

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093c26.shtml

hope this helps..

268
Views
0
Helpful
4
Replies