cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
3
Replies
Highlighted
Beginner

multiple ISAKMP policies?

When you have multiple isakmp polities defined, how do you know which policy your crypto map is using? For example:

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

crypto isakmp key thisis the key address 14.70.84.194 no-xauth

crypto isakmp key thisisanotherkey address 218.172.178.131 no-xauth

!

crypto isakmp client configuration group swvpnclt

key $1iMSW6

dns 10.90.1.2

domain lasvegas.nv.cisco.com

pool vpnpool

!

!

crypto ipsec transform-set verysecurevpn esp-3des esp-md5-hmac

!

crypto dynamic-map cltvpn 10

set transform-set verysecurevpn

!

!

crypto map ASHLEYVPN client authentication list userauthen

crypto map ASHLEYVPN isakmp authorization list groupauthor

crypto map ASHLEYVPN client configuration address respond

crypto map ASHLEYVPN 10 ipsec-isakmp dynamic cltvpn

crypto map ASHLEYVPN 30 ipsec-isakmp

description IPSEC VPN to a customer.

set peer 12.40.84.194

set transform-set verysecurevpn

match address accesslist

crypto map ASHLEYVPN 31 ipsec-isakmp

description IPSEC VPN to another customer

set peer 108.117.178.31

set transform-set verysecurevpn

match address accesslist

!

Thank you

3 REPLIES 3
Highlighted
Cisco Employee

Re: multiple ISAKMP policies?

Hi,

When the Client tries connecting to the PIX or any other VPN device, it will send almost all set of IKE Proposals to the PIX and the PIX will match it to the first policy and then the second and then the next policy sent is matched the same way, and finally one of the sent policies either matches the first or second defined on the PIX and thats what they use.

Hope this explains the process,

Regards,

Aamir

-=-=-

Highlighted
Cisco Employee

Re: multiple ISAKMP policies?

Hi,

Also when the Client connects you can check to see what policies were used at the IKE by double-clicking on the Client session to get all that information.

Regards,

Aamir

Highlighted
Beginner

Re: multiple ISAKMP policies?

Hi,

You can see the parameters of the crypto policy by typing the command: show crypto isakmp sa detail

you will see a table, just lookup your peer IP, and you will see the parameters such as Enc. Hash. DH. and lifetime.

 

Accordingly you will know which policy has those parameters. type the commad: show crypto isakmp policy then you should be able to see the same parameters.

 

Hops this answers your question.

 

Regards

Ibrahim Alazawi