Comments line On Fri, Apr 2, 2010 at 4:04 PM, Paul Stewart <[email protected]> wrote:
> I have a simple question about isakmp-profiles with IOS. My > understanding is that if you use a match statement within the profile > and it returns true that this is an responder profile. If there is a > "set isakmp-profile" statement in the crypto map this is an initiator > profile. So my question is does the "set isakmp-profile" statement in > the crypto map "lock" that crypto map peer to the isakmp profile. In > other words if an incoming isakmp session matched another (or matched > no profiles) but was still valid based on other isakmp parameters, > would the peer establishment be permitted. I will probably lab it up > tonight to experiment with it myself, but was curious as to what > others experiences were. > > > More or less, it is a lock only. The ISAKMP pofiles have been brought in to solve issues when there are two IPSec polices matching a same IKE request. Two reasons for which ISAKMP profiles are used now are: *DMVPN hub and EzVPN server on the same router* Due to this spokes are requested for Xauth. ISAKMP resolves this issue *IPSec with VRFs* IPSec with VRFs require ISAKMP profiles as request comes to the same IPSec profile The ISAKMP profile pulls the IKE request before getting considered globally. If the ISAKMP request doesn't match any profiles, then it gets checked for the global keys or trustpoint. > Similarly in the ASA, we have tunnel-group-maps to land connections on > profiles. Are those bi-directional. In other words, if I had a > created 3 for a single peer an of those tunnel-groups 1). that matched > an OU in a cert and 2) one that matched the only IP address, and 3) > one that mapped the IKE ID, Would the selection of an outbound > connection profile in the initiator role be the same as the selection > of an inbound connection profile in the responder role with the same > peer in every case? > > I think, Tunnel group is only for recieving not for initially. The order of tunnel group land check is 1. OU 2. IKE ID 3. IP address The crypto map is the one that initiate the VPN connection. With regards King > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
