Core issue
The Internet Security Association and Key Management Protocol (ISAKMP) profile is an enhancement to ISAKMP configurations. It enables the modularity of the ISAKMP configuration for Phase 1 negotiations. This modularity allows mapping different ISAKMP parameters to different IPsec tunnels, and mapping different IPsec tunnels to different VPN forwarding and routing (VRF) instances.
ISAKMP profile enhancement was released as part of the VRF-aware IPsec feature in Cisco IOS Software Release 12.2(15)T. Today, many applications and enhancements use the ISAKMP profile, including quality of service (QoS), router certificate management, and Multiprotocol Label Switching (MPLS) VPN configurations.
Resolution
This list explains when to use an ISAKMP profile:
- Any router with two or more IPsec connections that requires different Phase 1 parameters for different sites (for example, configuring site-to-site and remote access on the same router).
- It is recommended to use the ISAKMP profile with Easy VPN Remote or Easy VPN Server configurations.
- If custom Internet Key Exchange (IKE) Phase 1 policies are needed for different peers. For example, whether XAUTH is to be applied to a specific peer, rather than being applied on every connection.
- An IPsec configuration using VRF-aware IPsec, which allows the use of a single IP address to connect to different peers with different IKE Phase 1 parameters.
For additional help, refer to ISAKMP Profile Overview.