Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Branch Office to Head office connectivity

Dear Friends,

Both Head Office and Branch Office have Cisco IOS routers running GRE over IPSec VPN's on their primary links. The IPSec VPN is certificate based. For backup link (ISDN), it has been decided to go for IPSec VPN's again with pre-shared keys.

Both the primary and backup ISDN links terminate on the same router in Head Office as well as Branch office.

The Head office is 3800 series router and Branch office end is 2800 series router.

The problem is in the ISAKMP policies.

If i have one ISAKMP policy on the router for Certificate Based vpn and the other for Pre shared keys, how do i define that the primary interface always initiates a Certificate VPN and the secondary ISDN interface always initiates a pre-shared key VPN?

In other words, is it possible to define which isakmp policy takes effect on a per interface basis?

Please note that both primary and backup links terminate on the same router. If it was a different router, i know that it would have been easily achieved.

Please find enclosed the config of the BO router for your reference.

Looking forward for some help on this.

Thanks a lot



Re: Branch Office to Head office connectivity

The Certificate to ISAKMP Profile Mapping feature enables you to assign an Internet Security Association and Key Management Protocol (ISAKMP) profile to a peer on the basis of the contents of arbitrary fields in the certificate. In addition, this feature allows you to assign a group name to those peers that are assigned an ISAKMP profile.

Refer the followin gurl for more information about the configuration: