Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

multiple ISAKMP policies?

When you have multiple isakmp polities defined, how do you know which policy your crypto map is using? For example:

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

crypto isakmp key thisis the key address 14.70.84.194 no-xauth

crypto isakmp key thisisanotherkey address 218.172.178.131 no-xauth

!

crypto isakmp client configuration group swvpnclt

key $1iMSW6

dns 10.90.1.2

domain lasvegas.nv.cisco.com

pool vpnpool

!

!

crypto ipsec transform-set verysecurevpn esp-3des esp-md5-hmac

!

crypto dynamic-map cltvpn 10

set transform-set verysecurevpn

!

!

crypto map ASHLEYVPN client authentication list userauthen

crypto map ASHLEYVPN isakmp authorization list groupauthor

crypto map ASHLEYVPN client configuration address respond

crypto map ASHLEYVPN 10 ipsec-isakmp dynamic cltvpn

crypto map ASHLEYVPN 30 ipsec-isakmp

description IPSEC VPN to a customer.

set peer 12.40.84.194

set transform-set verysecurevpn

match address accesslist

crypto map ASHLEYVPN 31 ipsec-isakmp

description IPSEC VPN to another customer

set peer 108.117.178.31

set transform-set verysecurevpn

match address accesslist

!

Thank you

2 REPLIES
Cisco Employee

Re: multiple ISAKMP policies?

Hi,

When the Client tries connecting to the PIX or any other VPN device, it will send almost all set of IKE Proposals to the PIX and the PIX will match it to the first policy and then the second and then the next policy sent is matched the same way, and finally one of the sent policies either matches the first or second defined on the PIX and thats what they use.

Hope this explains the process,

Regards,

Aamir

-=-=-

Cisco Employee

Re: multiple ISAKMP policies?

Hi,

Also when the Client connects you can check to see what policies were used at the IKE by double-clicking on the Client session to get all that information.

Regards,

Aamir

922
Views
0
Helpful
2
Replies