07-03-2006 07:10 AM
Hello,
I am trying to make a configuration where i have multiple isakmp profiles, and i want each profile use its own pre-shared key, BUT, the clients are not cisco (they are linksys so cannot use groups) AND the ip addresses of the clients are not fixed.
So i have the following configuration:
crypto keyring llave1
pre-shared-key address 0.0.0.0 0.0.0.0 key llave1
crypto keyring llave2
pre-shared-key address 0.0.0.0 0.0.0.0 key llave2
!
crypto isakmp profile L2L-2
vrf cliente2
keyring llave2
match identity user domain cliente2.com
crypto isakmp profile L2L
vrf cliente1
keyring llave1
match identity user domain cliente1.com
!
crypto dynamic-map L2L 5
set transform-set 3des_sha
set isakmp-profile L2L
match address 101
reverse-route
!
crypto dynamic-map L2L-2 6
set transform-set 3des_sha
set isakmp-profile L2L-2
match address 102
reverse-route
When I started the vpn from my client using the cliente1.com domain and the key llave1, it works great, BUT when I start the vpn from my client using the cliente2.com domain and the key llave2, it does not work at all (the debug shows something like a malformed packet).
Then I checked that if I swap the "crypto keyring" commands putting the "crypto keyring llave2" before the "crypto keyring llave1", then the only client that works is the cliente2.com domain.
The question is: Is it possible to do what I am trying to accomplish?
I am attaching the full configuration.
Thanks!
07-10-2006 01:07 PM
under crypto isakmp profile L2L &
crypto isakmp profile L2L-2
try "match identity address 0.0.0.0"
this should just allow all for source ip, and permit
the domain as the matching field to match for a isakmp profile...
Joe
09-26-2006 12:02 PM
did you ever get this to work? I am looking to do the same thing.
09-26-2006 03:15 PM
No, I asked to a Cisco SE (I am attaching the document with my question), and here is his answer:
------
That is expected. For MM psk, the key is picked right at the beginning based on the ip address, so we'll always pick the first match.
And then at MM5 when the profile is picked based on fqdn, if the configured keyring is not what we used earlier, we'll fail.
If you can use a seperate termination point for each cust/vrf, then you can separate the keys. Lets say you use 2 loopbacks for 2 customers.
Then by defining the loopback as the 'local-address' under each keyring and isakmp profile, you can limit the keyring selection based on the IKE destination (loopback address). But this will work with VTI not with Crypto maps, since we need a crymap per ike endpoint. I assume these are all non-cisco cpe's so vti or even ezvpn (where we wont even have this
problem) is out of the question.
If using crypto maps, and to be able to use 'local-address' you will need a intf/subintf per vrf and apply respective crypto maps. Then you can either use fvrf to seperate the keys, or use 'local address' to seperate the keys.
The local-address cli came in 12.3.11T so need an image after that.
---------
HTH
Alex
09-26-2006 04:42 PM
I guess I will just give it a try. All my cpe's will be cisco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide