Showing results for 
Search instead for 
Did you mean: 

How and when to configure an ISAKMP profile for VPN tunnels on routers


Core issue

The Internet Security Association and Key Management Protocol (ISAKMP) profile is an enhancement to ISAKMP configurations. It enables the modularity of the ISAKMP configuration for Phase 1 negotiations. This modularity allows mapping different ISAKMP parameters to different IPsec tunnels, and mapping different IPsec tunnels to different VPN forwarding and routing (VRF) instances.

ISAKMP profile enhancement was released as part of the VRF-aware IPsec feature in Cisco IOS  Software Release 12.2(15)T. Today, many applications and enhancements use the ISAKMP profile, including quality of service (QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations.


This list explains when to use an ISAKMP profile:

  • Any router with two or more IPsec connections that requires different Phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router).
  • It is recommended to use the ISAKMP profile with Easy VPN Remote or Easy VPN Server configurations.
  • If custom Internet Key Exchange (IKE) Phase 1 policies are needed for different peers. For example, whether XAUTH is to be applied to a specific peer, rather than being applied on every connection.
  • An IPsec configuration using VRF-aware IPsec, which allows the use of a single IP address to connect to different peers with different IKE Phase 1 parameters.

If the IPsec VPN tunnel fails to come up with an ISAKMP profile on the router, refer IPSec VPN tunnel does not come up with ISAKMP profile on router and Understanding and Using debug Commands.

For additional help, refer to ISAKMP Profile Overview.

Content for Community-Ad