10-15-2015 11:52 AM
Hi,
My background with VPNs is mostly from an ASA/firewall perspective and I am currently studying for CCIE Security. At the moment I am playing with ISAKMP profiles on IOS. I understand the purpose of them and what you may use them for, but reading Cisco docs and other posts online I don't seem to be able to get a clear understanding of how/when they need to be applied.
Some more info... from playing with them in a lab I can see that they don't actually have to be attached anywhere (e.g. cryptomap or ipsec-profile) for them to used by the router (i.e. just creating them with the relevant match statements is enough to cause the isakmp process to use them - similar to tunnel-groups under the ASA). The tests I was carrying out were just matching based on identity address and setting a specific keyring.
So with the background aside my questions is...
Are there any specific configuration items/scenarios that you would explicitly need to reference the isakmp profile under another object (i.e. under an ipsec-profile or cryptomap) or is that more cosmetic to help engineers understand where it is applied?
Thanks in advance!
Mike
10-15-2015 01:01 PM
Hi
At one of the customers that I work with I use it to assign a VRF to the VPN.
10-15-2015 11:22 PM
Hi Henrik,
Thanks for the response. Yep, I know one of the uses would be to associate traffic with a particular ivrf, however again from my testing (albeit brief) it doesn't appear that you actually need to set the isakmp profile under the cryptomap (set isakmp-profile PROF-NAME), it is enough to just create it on the device. The router still seems to match connections against it.
So, for anyone who has used isakmp-profiles a lot, are there any cases where the isakmp-profile absolutely has to be set specifically under a cryptomap/ipsec-policy or is it always just enough that they are created.
Thanks
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide