Both Head Office and Branch Office have Cisco IOS routers running GRE over IPSec VPN's on their primary links. The IPSec VPN is certificate based. For backup link (ISDN), it has been decided to go for IPSec VPN's again with pre-shared keys.
Both the primary and backup ISDN links terminate on the same router in Head Office as well as Branch office.
The Head office is 3800 series router and Branch office end is 2800 series router.
The problem is in the ISAKMP policies.
If i have one ISAKMP policy on the router for Certificate Based vpn and the other for Pre shared keys, how do i define that the primary interface always initiates a Certificate VPN and the secondary ISDN interface always initiates a pre-shared key VPN?
In other words, is it possible to define which isakmp policy takes effect on a per interface basis?
Please note that both primary and backup links terminate on the same router. If it was a different router, i know that it would have been easily achieved.
Please find enclosed the config of the BO router for your reference.
The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile.
Refer the followin gurl for more information about the configuration:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...