Re: Multiple IKE Pre-Shared Keys for same peer IP (on PIX)?

cisco · ‎10-20-2002

I'm looking to configure a PIX (v6.2) to accept connections from various IPSec VPN clients which will be connection from dynamily assigned IP addresses (no way to predict ranges). The clients will be anything from xDSL routers to dialup clients. (In general, they will not be using Cisco's own VPN client software, although I don't think this fact is particularly improtant here). We'll be using Pre-Shared IKE key(s).

Since I don't know in advance what IP addresses the VPN clients will be connecting from, I need to set the pre-shared key using a command such as:-

isakmp key <keystring> address 0.0.0.0 netmask 0.0.0.0

This sets a pre-shared key of <keystring> for all potential peers.

My question is: Can I set more than one pre-shared key for the same range - i.e. 0.0.0.0/0.0.0.0? (I don't yet have the PIX to try this out on). I want different users to have different pre-shared keys.

I know I could set different pre-shared key for different IP addresses or subnets by using multiple "isakmp key" commands with different "address" and "netmask" values, but my specific requirement is to have multiple different pre-shared keys for the catch-all range as above.

Is this possible, or is there a sifferent way to achieve what I have in mind?

Thanks in advance for any help or ideas.

HEATH FREEL · ‎10-21-2002

The only way to do it is with the Cisco 3000 Client - It supports groups and allows different group name to use different preshared keys.

cisco · ‎10-21-2002

Thanks for your help.

Do you know what happens if more than one pre-shared key exists on any particular IP address range? I.e. Two ranges might overlap.

For example:-

isakmp key 123456 address 0.0.0.0 netmask 0.0.0.0

isakmp key abcdef address 192.168.0.0 netmask 255.255.255.0

In this case, the second range is a subset of the first.