Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multiple IKE Pre-Shared Keys for same peer IP (on PIX)?

I'm looking to configure a PIX (v6.2) to accept connections from various IPSec VPN clients which will be connection from dynamily assigned IP addresses (no way to predict ranges). The clients will be anything from xDSL routers to dialup clients. (In general, they will not be using Cisco's own VPN client software, although I don't think this fact is particularly improtant here). We'll be using Pre-Shared IKE key(s).

Since I don't know in advance what IP addresses the VPN clients will be connecting from, I need to set the pre-shared key using a command such as:-

isakmp key <keystring> address netmask

This sets a pre-shared key of <keystring> for all potential peers.

My question is: Can I set more than one pre-shared key for the same range - i.e. (I don't yet have the PIX to try this out on). I want different users to have different pre-shared keys.

I know I could set different pre-shared key for different IP addresses or subnets by using multiple "isakmp key" commands with different "address" and "netmask" values, but my specific requirement is to have multiple different pre-shared keys for the catch-all range as above.

Is this possible, or is there a sifferent way to achieve what I have in mind?

Thanks in advance for any help or ideas.

New Member

Re: Multiple IKE Pre-Shared Keys for same peer IP (on PIX)?

The only way to do it is with the Cisco 3000 Client - It supports groups and allows different group name to use different preshared keys.

New Member

Re: Multiple IKE Pre-Shared Keys for same peer IP (on PIX)?

Thanks for your help.

Do you know what happens if more than one pre-shared key exists on any particular IP address range? I.e. Two ranges might overlap.

For example:-

isakmp key 123456 address netmask

isakmp key abcdef address netmask

In this case, the second range is a subset of the first.