Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
2
Replies

ISAKMP Profiles

mike_guy29
Level 1
Level 1

‎10-15-2015 11:52 AM

Hi,

My background with VPNs is mostly from an ASA/firewall perspective and I am currently studying for CCIE Security. At the moment I am playing with ISAKMP profiles on IOS. I understand the purpose of them and what you may use them for, but reading Cisco docs and other posts online I don't seem to be able to get a clear understanding of how/when they need to be applied.

Some more info... from playing with them in a lab I can see that they don't actually have to be attached anywhere (e.g. cryptomap or ipsec-profile) for them to used by the router (i.e. just creating them with the relevant match statements is enough to cause the isakmp process to use them - similar to tunnel-groups under the ASA). The tests I was carrying out were just matching based on identity address and setting a specific keyring.

So with the background aside my questions is...

Are there any specific configuration items/scenarios that you would explicitly need to reference the isakmp profile under another object (i.e. under an ipsec-profile or cryptomap) or is that more cosmetic to help engineers understand where it is applied?

Thanks in advance!

Mike

Labels:
0 Helpful
2 Replies 2

Henrik Grankvist
Level 4
Level 4

‎10-15-2015 01:01 PM

Hi

At one of the customers that I work with I use it to assign a VRF to the VPN.

0 Helpful

mike_guy29
Level 1
Level 1
In response to Henrik Grankvist

‎10-15-2015 11:22 PM

Hi Henrik,

Thanks for the response. Yep, I know one of the uses would be to associate traffic with a particular ivrf, however again from my testing (albeit brief) it doesn't appear that you actually need to set the isakmp profile under the cryptomap (set isakmp-profile PROF-NAME), it is enough to just create it on the device. The router still seems to match connections against it.

So, for anyone who has used isakmp-profiles a lot, are there any cases where the isakmp-profile absolutely has to be set specifically under a cryptomap/ipsec-policy or is it always just enough that they are created.

Thanks

Mike

0 Helpful
Customers Also Viewed These Support Documents