cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1390
Views
0
Helpful
1
Comments
TCC_2
Level 10
Level 10

Core issue

An Internet Security Association and Key Management Protocol (ISAKMP) policy exists for a tunnel. A new policy is entered, but the PIX/ASA still shows only one ISAKMP policy when the show run command is issued.

Resolution

The PIX/ASA does not allow more than one policy with a given set of rules. Thus, it does not permit this.

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

The PIX/ASA only keeps one of the previous policies. ISAKMP policies are processed from lowest policy number to highest policy number until a match is found.

Comments
Chris McCann
Level 1
Level 1

I am a bit of a novice on these devices but can anyone help, I need to create a second tunnel using the same policy settings. How would I go about doing this, so far I have. This second tunnel is for a different peer.

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer aaa.aaa.aaa.aaa

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer bbb.bbb.bbb.bbb

crypto map outside_map 21 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

and would like to add

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption aes-256

isakmp policy 21 hash sha

isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

I have made an assumption that the policy numbers are referrences to the two different tunnels I wish to use.

many thanks,

C.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: