How and when to configure an ISAKMP profile for VPN tunnels on routers

TCC_2 · ‎06-22-2009

Core issue

The Internet Security Association and Key Management Protocol (ISAKMP) profile is an enhancement to ISAKMP configurations. It enables the modularity of the ISAKMP configuration for Phase 1 negotiations. This modularity allows mapping different ISAKMP parameters to different IPsec tunnels, and mapping different IPsec tunnels to different VPN forwarding and routing (VRF) instances.

ISAKMP profile enhancement was released as part of the VRF-aware IPsec feature in Cisco IOS Software Release 12.2(15)T. Today, many applications and enhancements use the ISAKMP profile, including quality of service (QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations.

Resolution

This list explains when to use an ISAKMP profile:

Any router with two or more IPsec connections that requires different Phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router).
It is recommended to use the ISAKMP profile with Easy VPN Remote or Easy VPN Server configurations.
If custom Internet Key Exchange (IKE) Phase 1 policies are needed for different peers. For example, whether XAUTH is to be applied to a specific peer, rather than being applied on every connection.
An IPsec configuration using VRF-aware IPsec, which allows the use of a single IP address to connect to different peers with different IKE Phase 1 parameters.

For configuration help, refer to DMVPN and Easy VPN Server with ISAKMP Profiles and LAN-to-LAN and EzVPN Client on PIX with VPN Client Access to a Hub Router using ISAKMP Profiles.

If the IPsec VPN tunnel fails to come up with an ISAKMP profile on the router, refer IPSec VPN tunnel does not come up with ISAKMP profile on router and Understanding and Using debug Commands.

For additional help, refer to ISAKMP Profile Overview.

MHM Cisco World · ‎01-20-2022

Thanks for sharing this info.