I am trying to make a configuration where i have multiple isakmp profiles, and i want each profile use its own pre-shared key, BUT, the clients are not cisco (they are linksys so cannot use groups) AND the ip addresses of the clients are not fixed.
So i have the following configuration:
crypto keyring llave1
pre-shared-key address 0.0.0.0 0.0.0.0 key llave1
crypto keyring llave2
pre-shared-key address 0.0.0.0 0.0.0.0 key llave2
crypto isakmp profile L2L-2
match identity user domain cliente2.com
crypto isakmp profile L2L
match identity user domain cliente1.com
crypto dynamic-map L2L 5
set transform-set 3des_sha
set isakmp-profile L2L
match address 101
crypto dynamic-map L2L-2 6
set transform-set 3des_sha
set isakmp-profile L2L-2
match address 102
When I started the vpn from my client using the cliente1.com domain and the key llave1, it works great, BUT when I start the vpn from my client using the cliente2.com domain and the key llave2, it does not work at all (the debug shows something like a malformed packet).
Then I checked that if I swap the "crypto keyring" commands putting the "crypto keyring llave2" before the "crypto keyring llave1", then the only client that works is the cliente2.com domain.
The question is: Is it possible to do what I am trying to accomplish?
No, I asked to a Cisco SE (I am attaching the document with my question), and here is his answer:
That is expected. For MM psk, the key is picked right at the beginning based on the ip address, so we'll always pick the first match.
And then at MM5 when the profile is picked based on fqdn, if the configured keyring is not what we used earlier, we'll fail.
If you can use a seperate termination point for each cust/vrf, then you can separate the keys. Lets say you use 2 loopbacks for 2 customers.
Then by defining the loopback as the 'local-address' under each keyring and isakmp profile, you can limit the keyring selection based on the IKE destination (loopback address). But this will work with VTI not with Crypto maps, since we need a crymap per ike endpoint. I assume these are all non-cisco cpe's so vti or even ezvpn (where we wont even have this
problem) is out of the question.
If using crypto maps, and to be able to use 'local-address' you will need a intf/subintf per vrf and apply respective crypto maps. Then you can either use fvrf to seperate the keys, or use 'local address' to seperate the keys.
The local-address cli came in 12.3.11T so need an image after that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :