cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
122
Views
0
Helpful
1
Replies
Highlighted

Is "crypto isakmp key" address more-specific?

Lets say I have two IPSec connections on a ISR4k router:

crypto isakmp key aaaaaaaaaaaaaaaaaa address 192.168.1.1 255.255.255.255
crypto isakmp key bbbbbbbbbbbbbbbbbb address 192.168.2.2 255.255.255.255

 

Is it safe to add now one of the following lines for other IPSec connections, without bringing the current IPSec's down?

crypto isakmp key xxxxxxxxxxxxxxxxxxxx address 192.168.0.0 255.255.0.0
crypto isakmp key yyyyyyyyyyyyyyyyyyyy address 0.0.0.0 0.0.0.0

Will the IPSec connections to 192.168.1.1 and 192.168.2.2 stay up, because the address for key aaaaaaaa/bbbbbbb is more-specific (/32)? Or is it possible that the router uses the wrong key, xxxxxxxxxx/yyyyyyyyyy, for 192.168.1.1, because this address has more then one keys (one as /32 and one as /16 or /0)?

 

Or is it better to work with keyrings, if I have such overlapping addresses?

1 REPLY 1
Highlighted
VIP Mentor

Re: Is "crypto isakmp key" address more-specific?

Hello,

 

I just tested this. Entering the less specific keys has no effect on existing IPSec connections, so you can enter them without causing any sort of interruption.