Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

How to force Remote VPN client to use different ISAKMP policy

Hi All,

Cisco ASA5510 with IOS 8.0.4 acting as EZVPN server for clients with ASA5505 h/w to connect to enterprise n/w. Everything works great. The client uses the following ISAKMP policy:

************************

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

****************************

Iam planning to add configs to the ASA5510 so that it also acts as RA VPN servers.Users laptops installed with Cisco VPN cleint sw:4.8. I want to add another ISKMP policy :

*******************************

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

*******************************

But how can I force the remote dial-in client to use the second isakmp policy..? Is it possible or do I need to go with same policy (#1) and can use different IKE/Transform-set).

Please suggest.

Thank you in advance

MS

3 REPLIES
Cisco Employee

Re: How to force Remote VPN client to use different ISAKMP polic

Hello MS,

It is my understanding that ISAKMP Policies are evaluated in order of priority, looking for the first match and there is no way to associate a policy to one specific EzVPN Client or RA Users.

Having said that, I would configure my preferred policy with the top priority and go from there.

Please do share your thoughts or any workaround that you come across. Thanks!!

Regards,

Arul

*Pls rate if it helps*

joe Bronze
Bronze

Re: How to force Remote VPN client to use different ISAKMP polic

You can actually match members of a vpn group and assign phase 1 attributes by using iskamp profiles.

i suspect this tech doc will clear things up for you. let me know if you would like to see a sample config and i'll work something together for you.

-Joe

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

Re: How to force Remote VPN client to use different ISAKMP polic

Thank you Joe.. but looks like this doc gives information creating different ISAKMP for for different kind of connectivity (remote, L2l). But both the Ezvpn cleints & Remote access clients considered as remote access clients, Iam wondering the steps helps my scenario. Please clarify, if I miss anything.

Thank you

MS

386
Views
3
Helpful
3
Replies
CreatePlease to create content