Cisco IOS-XE configuration supports multiple phase 1 crypto isakmp PSK options for ip address-peers. We have a large number of IPSec peers (700+) and would like to use one PSK per network range instead of per peer or the same PSK for all peers with the 0.0.0.0 option. I know this is not recommended especially with PSKs but this is my direction. I’m looking for someone with experience with a setup like this (even with IKEv2) and asking how such a setup performed overall.
Our Head-end routers are ASR1009-X and remote edge routers are ASR1002-x, ISR 4300 and 2951s with physical crypto cards installed. This configuration is ikev1 which is deprecated and will migrate to ikev2 after this is ironed out.
crypto isakmp key key1 address 192.168.0.0 255.255.255.0
crypto isakmp key key2 address 172.16.0.0 255.255.255.0
crypto isakmp key key3 address 10.0.0.0 255.255.0.0
Solved! Go to Solution.
Yes what you propose will work fine, just use long complex random PSK.
If you migrate to IKEv2 then you have the option to use asymetric authentication (different local and remote authentication methods). Using FlexVPN also have the option to use PSK stored on AAA server (RADIUS), allowing you to centrally update the PSKs instead of reconfiguring the routers.
Thank you for the quick reply. Yea my password is a bad example no doubt :)..., and unfortunately our Juniper boxes (I didn't mention) do not support asymmetric PSKs -yikeeeeeeessss.
In behind the curtains does the IOS just cycle through the multiple crypto ISAKMP key entries until it finds an IP address-peer match?
The reason I ask is most peers fall within the 3 defined ranges of:
while other peers don't fall within a supernet at all - think ISP static addressing which will be covered by the 0.0.0.0 wild-card range.
Should the 0.0.0.0 range be added into the configuration last or is IOS smart enough to choose the most specific peer address first.