cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
695
Views
5
Helpful
5
Replies

IPSec IKE PSK with IP peer address

fsebera
Enthusiast
Enthusiast

Cisco IOS-XE configuration supports multiple phase 1 crypto isakmp PSK options for ip address-peers.  We have a large number of IPSec peers (700+) and would like to use one PSK per network range instead of per peer or the same PSK for all peers with the 0.0.0.0 option.  I know this is not recommended especially with PSKs but this is my direction.  I’m looking for someone with experience with a setup like this (even with IKEv2) and asking how such a setup performed overall.  

 

Our Head-end routers are ASR1009-X and remote edge routers are ASR1002-x, ISR 4300 and 2951s with physical crypto cards installed.  This configuration is ikev1 which is deprecated and will migrate to ikev2 after this is ironed out. 

Ex:

crypto isakmp key key1 address 192.168.0.0 255.255.255.0

crypto isakmp key key2 address 172.16.0.0 255.255.255.0

crypto isakmp key key3 address 10.0.0.0 255.255.0.0

 

Thank you

Frank

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@fsebera 

Yes the router cycles through until it finds a match on the IP for the key.

View solution in original post

5 Replies 5

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@fsebera 

Yes what you propose will work fine, just use long complex random PSK.

 

If you migrate to IKEv2 then you have the option to use asymetric authentication (different local and remote authentication methods). Using FlexVPN also have the option to use PSK stored on AAA server (RADIUS), allowing you to centrally update the PSKs instead of reconfiguring the routers.

Hi Rob,

 

Thank you for the quick reply. Yea my password is a bad example no doubt :)..., and unfortunately our Juniper boxes (I didn't mention) do not support asymmetric PSKs -yikeeeeeeessss.

 

In behind the curtains does the IOS just cycle through the multiple crypto ISAKMP key entries until it finds an IP address-peer match?

Thanks

Frank

The reason I ask is most peers fall within the 3 defined ranges of:

192.168.0.0 /24

172.16.0.0 /24

10.0.0.0 /16

 

while other peers don't fall within a supernet at all - think ISP static addressing which will be covered by the 0.0.0.0 wild-card range.

Should the 0.0.0.0 range be added into the configuration last or is IOS smart enough to choose the most specific peer address first.

 

Thanks

Frank

 

@fsebera 

It will use the most specific match. Use keyrings rather than defined under global configuration.

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@fsebera 

Yes the router cycles through until it finds a match on the IP for the key.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers