Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
0
Helpful
1
Replies

Is "crypto isakmp key" address more-specific?

schwarzenbachcyb
Level 1
Level 1

‎02-11-2020 05:39 AM - edited ‎02-11-2020 05:55 AM

Lets say I have two IPSec connections on a ISR4k router:

crypto isakmp key aaaaaaaaaaaaaaaaaa address 192.168.1.1 255.255.255.255
crypto isakmp key bbbbbbbbbbbbbbbbbb address 192.168.2.2 255.255.255.255

 

Is it safe to add now one of the following lines for other IPSec connections, without bringing the current IPSec's down?

crypto isakmp key xxxxxxxxxxxxxxxxxxxx address 192.168.0.0 255.255.0.0
crypto isakmp key yyyyyyyyyyyyyyyyyyyy address 0.0.0.0 0.0.0.0

Will the IPSec connections to 192.168.1.1 and 192.168.2.2 stay up, because the address for key aaaaaaaa/bbbbbbb is more-specific (/32)? Or is it possible that the router uses the wrong key, xxxxxxxxxx/yyyyyyyyyy, for 192.168.1.1, because this address has more then one keys (one as /32 and one as /16 or /0)?

 

Or is it better to work with keyrings, if I have such overlapping addresses?

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎02-11-2020 11:12 AM

Hello,

 

I just tested this. Entering the less specific keys has no effect on existing IPSec connections, so you can enter them without causing any sort of interruption.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card