I'm not at a pc but I think the trustpoint can be assigned in isakmp
profile. Maybe 'ca trustpoint'
On Apr 2, 2010, at 8:00 AM, Kingsley Charles
<[email protected]> wrote:
Hi Paul
I am not sure, if the ISAKMP profiles will affect the outbound
property. Under the ISAKMP profiles "initiate mode" of whether AM or
MM seems to be initiating property.
The outbound things that needs to sent in the ISAKMP phase 1 are
ISAKMP polices
DH key exchange
Pre-shared key or Certs
ISAKMP profiles has the keyring and may be can send them. But, there
is no option to associate a trustpoint to send the certs.
Please share your findings after your lab.
With regards
Kings
On Fri, Apr 2, 2010 at 5:03 PM, Paul Stewart <[email protected]>
wrote:
Kings,
Thanks for the quick reply. What triggerred my thought process was
the asa to router VPN config in Yusuf's lab one. The question
requires that the ios check for an issuer string and a subject
string. The cert map is called in the isakmp profile. The crypto map
calls the profile. It seems to me that the checks would definitely
happen on outbound connections. However on inbound connections, a
failed match would just mean there is no isakmp profile if the
crypto map set isakmp-profile is not enforced on inbound
connections. That's the clarification I'm trying to work through.
On Apr 2, 2010, at 7:07 AM, Kingsley Charles <[email protected]
> wrote:
Comments line
On Fri, Apr 2, 2010 at 4:04 PM, Paul Stewart <[email protected]>
wrote:
I have a simple question about isakmp-profiles with IOS. My
understanding is that if you use a match statement within the profile
and it returns true that this is an responder profile. If there is a
"set isakmp-profile" statement in the crypto map this is an initiator
profile. So my question is does the "set isakmp-profile" statement
in
the crypto map "lock" that crypto map peer to the isakmp profile. In
other words if an incoming isakmp session matched another (or matched
no profiles) but was still valid based on other isakmp parameters,
would the peer establishment be permitted. I will probably lab it up
tonight to experiment with it myself, but was curious as to what
others experiences were.
More or less, it is a lock only. The ISAKMP pofiles have been
brought in to solve
issues when there are two IPSec polices matching a same IKE request.
Two reasons for which ISAKMP profiles are used now are:
DMVPN hub and EzVPN server on the same router
Due to this spokes are requested for Xauth. ISAKMP resolves this
issue
IPSec with VRFs
IPSec with VRFs require ISAKMP profiles as request comes to the
same IPSec profile
The ISAKMP profile pulls the IKE request before getting considered
globally.
If the ISAKMP request doesn't match any profiles, then it gets
checked for the global keys or trustpoint.
Similarly in the ASA, we have tunnel-group-maps to land connections
on
profiles. Are those bi-directional. In other words, if I had a
created 3 for a single peer an of those tunnel-groups 1). that
matched
an OU in a cert and 2) one that matched the only IP address, and 3)
one that mapped the IKE ID, Would the selection of an outbound
connection profile in the initiator role be the same as the selection
of an inbound connection profile in the responder role with the same
peer in every case?
I think, Tunnel group is only for recieving not for initially. The
order of tunnel group land check is
OU
IKE ID
IP address
The crypto map is the one that initiate the VPN connection.
With regards
King
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
