Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to enter a second ISAKMP policy in the PIX/ASA due to duplicate policies

Core issue

An Internet Security Association and Key Management Protocol (ISAKMP) policy exists for a tunnel. A new policy is entered, but the PIX/ASA still shows only one ISAKMP policy when the show run command is issued.

Resolution

The PIX/ASA does not allow more than one policy with a given set of rules. Thus, it does not permit this.

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

The PIX/ASA only keeps one of the previous policies. ISAKMP policies are processed from lowest policy number to highest policy number until a match is found.

Comments
New Member

I am a bit of a novice on these devices but can anyone help, I need to create a second tunnel using the same policy settings. How would I go about doing this, so far I have. This second tunnel is for a different peer.

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer aaa.aaa.aaa.aaa

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer bbb.bbb.bbb.bbb

crypto map outside_map 21 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

and would like to add

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption aes-256

isakmp policy 21 hash sha

isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

I have made an assumption that the policy numbers are referrences to the two different tunnels I wish to use.

many thanks,

C.

1075
Views
0
Helpful
1
Comments