Paul, When the profile is applied to a peer it is also going to be checked inbound.
This can be verified by configured the "crypto isakmp identity dn" globally and then applying the "self-identify address" under your isakmp profile. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Friday, April 02, 2010 6:35 AM To: [email protected] Subject: [OSL | CCIE_Security] isakmp-profiles I have a simple question about isakmp-profiles with IOS. My understanding is that if you use a match statement within the profile and it returns true that this is an responder profile. If there is a "set isakmp-profile" statement in the crypto map this is an initiator profile. So my question is does the "set isakmp-profile" statement in the crypto map "lock" that crypto map peer to the isakmp profile. In other words if an incoming isakmp session matched another (or matched no profiles) but was still valid based on other isakmp parameters, would the peer establishment be permitted. I will probably lab it up tonight to experiment with it myself, but was curious as to what others experiences were. Similarly in the ASA, we have tunnel-group-maps to land connections on profiles. Are those bi-directional. In other words, if I had a created 3 for a single peer an of those tunnel-groups 1). that matched an OU in a cert and 2) one that matched the only IP address, and 3) one that mapped the IKE ID, Would the selection of an outbound connection profile in the initiator role be the same as the selection of an inbound connection profile in the responder role with the same peer in every case? _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
