cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
561
Views
5
Helpful
11
Replies

Aksing about VPN preshared key change

DaeHeon Kang
Beginner
Beginner

Hi,

 

We're having Dynamic VPN connections to remote sites and planning to change pre-shapred key.

I see some configurations about key from the VPN hosting router. (crypto keying and isakmp key)

They both are set with the same key.

 

My question is which one I need to change or whether I need to change both.

There seems no iskmp profile which associate with crypto keyring Dynamic-VPN vrf INTERNET.

Following is some parts of VPN configuration.

 

crypto keyring Dynamic-VPN vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key dynamic123


crypto isakmp key dynamic123 address 0.0.0.0

 

crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

 

crypto dynamic-map Dynamic-VPN-MAP 100
set transform-set AES256-SHA
set reverse-route distance 100
match address DYNMIC-ADDR
reverse-route

 

crypto map INTERNET-VPN-MAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 102400000
set transform-set vpn-ipsec-proposal-set
set isakmp-profile vpn-profile1
match address VPN-ADDR
crypto map INTERNET-VPN-MAP 350 ipsec-isakmp dynamic Dynamic-VPN-MAP

1 ACCEPTED SOLUTION

Accepted Solutions

@DaeHeon Kang no "crypto isakmp key" command does not support vrf, so the keyring is used when you are using a vrf. My initial comments were based on an educated guess without all the information. The fact you have now confirmed the outside interface is in vrf INTERNET indicates the keyring is in use. You usually tie this together within an isakmp profile as you've done on the Static VPN, you don't have to though.

View solution in original post

11 REPLIES 11

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@DaeHeon Kang  You've not provided the full configuration, you have an isakmp profile called "vpn-profile1" if the "Dynamic-VPN" keyring is in use it will be referenced under the isakmp profile.

Hi Rob,

 

I think that isakmp profile is used for another vpn connection which is static VPN( because the profile associate with specific static vpn peer IP).

 

And I guess Dynamic VPN is set from below config.

From my understand, Dynamic isakmp setup doesn't have specific peer IP definition normally.

 

crypto keyring Dynamic-VPN vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key dynamic123


crypto isakmp key dynamic123 address 0.0.0.0

@DaeHeon Kang well if the isakmp profile is used by another connection, then I assume so is the keyring configuration?

 

crypto keyring Dynamic-VPN vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key dynamic123

 

In which case this configuration "crypto isakmp key dynamic123 address 0.0.0.0" is used by your dynamic VPN.

Hi Rob,

 

Do I need to change the key both crypto keying pre-shared key and crypto iskmp key when I try to change key for Dynamic VPN connection?

Or I can change only either crypto keying pre-shared key or crypto isakmp key?

@DaeHeon Kang

Without seeing the full configuration I will have to take your word that the keyring is used by static VPN.

 

If the crypto keyring is definately referenced under the isakmp profile that is used by the static VPN, then no you don't need to change that if you only want to change the PSK for Dynamic VPNs. Just change the crypto isakmp key.

 

 

Hi Rob,

 

Following is more parts of VPN configuration including other VPN connection setup.

 

======================================================================

crypto keyring Static-VPN vrf INTERNET
pre-shared-key address x.x.x.112 key static123

 

crypto keyring Dynamic-VPN vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key dynamic123

 

crypto isakmp profile vpn-profile1
vrf INTERNET
keyring Static-VPN
match identity address x.x.x.112 255.255.255.255 INTERNET


crypto isakmp key dynamic123 address 0.0.0.0

 

crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

 

crypto dynamic-map Dynamic-VPN-MAP 100
set transform-set AES256-SHA
set reverse-route distance 100
match address DYNMIC-ADDR
reverse-route

 

crypto map INTERNET-VPN-MAP 10 ipsec-isakmp
set peer x.x.x.112
set security-association lifetime kilobytes 102400000
set transform-set vpn-ipsec-proposal-set
set isakmp-profile vpn-profile1
match address VPN-ADDR
crypto map INTERNET-VPN-MAP 350 ipsec-isakmp dynamic Dynamic-VPN-MAP

 

interface GigabitEthernet4
description INTERNET->PUBLIC
vrf forwarding INTERNET
ip address x.x.x.190 255.255.255.240
no ip redirects
ip nat outside
standby use-bia
standby 4 preempt
ip tcp adjust-mss 1300
negotiation auto
crypto map INTERNET-VPN-MAP

 

@DaeHeon Kang your outside interface Gig4 is in the INTERNET vrf, only the Static-VPN and Dynamic-VPN keyrings specifies the vrf. The crypto isakmp key does not specify a vrf, so won't match.

Hi Rob,

 

Does crypto isakmp configuration have VRF option? I guess only crypto keying configuration has only vrf association option.

 

As I mentioned, Dynamic Crypto map doesn't associate with any isakmp profile.

So how could Dynamic crypto map can refer to the crypto keying key?

 

I am confused which key can be matched with the dynamic crypto map with followings.

 

1. crypto isakmp key doen't have VRF option, so it doesn't match as you said.

2. And I think crypto keying is not used for the dynamic crypto map either because the crypto map doesn't associate with any isakmp profile.

@DaeHeon Kang no "crypto isakmp key" command does not support vrf, so the keyring is used when you are using a vrf. My initial comments were based on an educated guess without all the information. The fact you have now confirmed the outside interface is in vrf INTERNET indicates the keyring is in use. You usually tie this together within an isakmp profile as you've done on the Static VPN, you don't have to though.

So do you mean that crypto keying will be used even though the keying is not associated with isakmp profile because it connects to the same VRF?

In that case, the key on crypto isakmp key configuration is not in use?

 

And, I found that dynamic-map doesn't associate isakmp profile about dynamic key, which is different from Static VPN map.

In this case, I guess I just need to change only the key on crypto isakmp key configuration when change the key.

 

 

> Dynamic crypto map (It doesn't associate with any isakmp profile)

crypto dynamic-map Dynamic-VPN-MAP 100
set transform-set AES256-SHA
set reverse-route distance 100
match address DYNMIC-ADDR
reverse-route

 

> Static crypto map including Dynamic crypto map with subsequence number(350)

crypto map INTERNET-VPN-MAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 102400000
set transform-set vpn-ipsec-proposal-set
set isakmp-profile vpn-profile1
match address VPN-ADDR

crypto map INTERNET-VPN-MAP 350 ipsec-isakmp dynamic Dynamic-VPN-MAP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: