Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VTI ipsec question.

Trying to set an ipsec tunnel , i was reading some articles on the web like:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-ipsec-virt-tunnl.html

I was used to set up ipsec sessions using the crypto map concept.

So  my question is how do I especify the "isakmp policy" that I want to use for phase 1 using the tunnel concept.

Lets suppose I have several ipsec sessions running and I need differents isakmp policies, before I used to do:

crypto isakmp policy 1                                                       USED BY VPN 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20                                                       USED BY VNP 2

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYYY address XXXXXXX

crypto isakmp key YYYYYY address XXXXXXX

.

.

crypto map  CRYPTO 1  ipsec-isakmp

description "VPN1"

set peer XXXXXXX

set transform-set TRAN1

match address XXX

crypto map CRYPTO 20 ipsec-isakmp                     USING "20" SECUENCE NUMBER, POLICY 20 IS ASSIGNED.

description "VPN2"

set peer XXXXXXX

set transform-set TRANS2

match address XXXX

Any help would be great.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: VTI ipsec question.

The concept of isakmp policies is tha same as before with crypto maps. And you can also mix VPNs with crypto maps and VPNs with VTIs on the same router.

So in your example if you are the initiator, both policies (well, both are the same what doesn't make any sense) are sent to the peer as a suggestion and the responder will (hopefully) choose one based on the priority (lower numbers have higher priority). That is independent of the tunnel type.

What often changes in modern deployments is, that the PSKs are not configured in the global config, but in crypto keyrings that could be matched by isakmp profiles:

crypto keyring STATIC-VPN

  pre-shared-key address 198.51.100.10 key cisco1234

  pre-shared-key address 192.0.2.10 key cisco456

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1 REPLY
VIP Purple

Re: VTI ipsec question.

The concept of isakmp policies is tha same as before with crypto maps. And you can also mix VPNs with crypto maps and VPNs with VTIs on the same router.

So in your example if you are the initiator, both policies (well, both are the same what doesn't make any sense) are sent to the peer as a suggestion and the responder will (hopefully) choose one based on the priority (lower numbers have higher priority). That is independent of the tunnel type.

What often changes in modern deployments is, that the PSKs are not configured in the global config, but in crypto keyrings that could be matched by isakmp profiles:

crypto keyring STATIC-VPN

  pre-shared-key address 198.51.100.10 key cisco1234

  pre-shared-key address 192.0.2.10 key cisco456

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
133
Views
0
Helpful
1
Replies