Hi Paul I am not sure, if the ISAKMP profiles will affect the outbound property. Under the ISAKMP profiles "initiate mode" of whether AM or MM seems to be initiating property.
The outbound things that needs to sent in the ISAKMP phase 1 are ISAKMP polices DH key exchange Pre-shared key or Certs ISAKMP profiles has the keyring and may be can send them. But, there is no option to associate a trustpoint to send the certs. Please share your findings after your lab. With regards Kings On Fri, Apr 2, 2010 at 5:03 PM, Paul Stewart <[email protected]> wrote: > Kings, > > Thanks for the quick reply. What triggerred my thought process was the asa > to router VPN config in Yusuf's lab one. The question requires that the ios > check for an issuer string and a subject string. The cert map is called in > the isakmp profile. The crypto map calls the profile. It seems to me that > the checks would definitely happen on outbound connections. However on > inbound connections, a failed match would just mean there is no isakmp > profile if the crypto map set isakmp-profile is not enforced on inbound > connections. That's the clarification I'm trying to work through. > > > > On Apr 2, 2010, at 7:07 AM, Kingsley Charles <[email protected]> > wrote: > > Comments line > > On Fri, Apr 2, 2010 at 4:04 PM, Paul Stewart <[email protected]> wrote: > > >> I have a simple question about isakmp-profiles with IOS. My >> understanding is that if you use a match statement within the profile >> and it returns true that this is an responder profile. If there is a >> "set isakmp-profile" statement in the crypto map this is an initiator >> profile. So my question is does the "set isakmp-profile" statement in >> the crypto map "lock" that crypto map peer to the isakmp profile. In >> other words if an incoming isakmp session matched another (or matched >> no profiles) but was still valid based on other isakmp parameters, >> would the peer establishment be permitted. I will probably lab it up >> tonight to experiment with it myself, but was curious as to what >> others experiences were. >> >> >> > > More or less, it is a lock only. The ISAKMP pofiles have been brought in to > solve > issues when there are two IPSec polices matching a same IKE request. > > Two reasons for which ISAKMP profiles are used now are: > > *DMVPN hub and EzVPN server on the same router* > > Due to this spokes are requested for Xauth. ISAKMP resolves this issue > > *IPSec with VRFs* > > IPSec with VRFs require ISAKMP profiles as request comes to the same IPSec > profile > > > The ISAKMP profile pulls the IKE request before getting considered > globally. > If the ISAKMP request doesn't match any profiles, then it gets checked for > the global keys or trustpoint. > > > > > > >> Similarly in the ASA, we have tunnel-group-maps to land connections on >> profiles. Are those bi-directional. In other words, if I had a >> created 3 for a single peer an of those tunnel-groups 1). that matched >> an OU in a cert and 2) one that matched the only IP address, and 3) >> one that mapped the IKE ID, Would the selection of an outbound >> connection profile in the initiator role be the same as the selection >> of an inbound connection profile in the responder role with the same >> peer in every case? >> >> > > > I think, Tunnel group is only for recieving not for initially. The order of > tunnel group land check is > > > 1. OU > 2. IKE ID > 3. IP address > > The crypto map is the one that initiate the VPN connection. > > With regards > King > >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
