Re: Multiple ISAKMP profiles with multiple keys

aretsu · ‎07-03-2006

Hello,

I am trying to make a configuration where i have multiple isakmp profiles, and i want each profile use its own pre-shared key, BUT, the clients are not cisco (they are linksys so cannot use groups) AND the ip addresses of the clients are not fixed.

So i have the following configuration:

crypto keyring llave1

pre-shared-key address 0.0.0.0 0.0.0.0 key llave1

crypto keyring llave2

pre-shared-key address 0.0.0.0 0.0.0.0 key llave2

!

crypto isakmp profile L2L-2

vrf cliente2

keyring llave2

match identity user domain cliente2.com

crypto isakmp profile L2L

vrf cliente1

keyring llave1

match identity user domain cliente1.com

!

crypto dynamic-map L2L 5

set transform-set 3des_sha

set isakmp-profile L2L

match address 101

reverse-route

!

crypto dynamic-map L2L-2 6

set transform-set 3des_sha

set isakmp-profile L2L-2

match address 102

reverse-route

When I started the vpn from my client using the cliente1.com domain and the key llave1, it works great, BUT when I start the vpn from my client using the cliente2.com domain and the key llave2, it does not work at all (the debug shows something like a malformed packet).

Then I checked that if I swap the "crypto keyring" commands putting the "crypto keyring llave2" before the "crypto keyring llave1", then the only client that works is the cliente2.com domain.

The question is: Is it possible to do what I am trying to accomplish?

I am attaching the full configuration.

Thanks!

jbrunner007 · ‎07-10-2006

under crypto isakmp profile L2L &

crypto isakmp profile L2L-2

try "match identity address 0.0.0.0"

this should just allow all for source ip, and permit

the domain as the matching field to match for a isakmp profile...

Joe

froggy3132000 · ‎09-26-2006

did you ever get this to work? I am looking to do the same thing.

aretsu · ‎09-26-2006

No, I asked to a Cisco SE (I am attaching the document with my question), and here is his answer:

------

That is expected. For MM psk, the key is picked right at the beginning based on the ip address, so we'll always pick the first match.

And then at MM5 when the profile is picked based on fqdn, if the configured keyring is not what we used earlier, we'll fail.

If you can use a seperate termination point for each cust/vrf, then you can separate the keys. Lets say you use 2 loopbacks for 2 customers.

Then by defining the loopback as the 'local-address' under each keyring and isakmp profile, you can limit the keyring selection based on the IKE destination (loopback address). But this will work with VTI not with Crypto maps, since we need a crymap per ike endpoint. I assume these are all non-cisco cpe's so vti or even ezvpn (where we wont even have this

problem) is out of the question.

If using crypto maps, and to be able to use 'local-address' you will need a intf/subintf per vrf and apply respective crypto maps. Then you can either use fvrf to seperate the keys, or use 'local address' to seperate the keys.

The local-address cli came in 12.3.11T so need an image after that.

---------

HTH

Alex

froggy3132000 · ‎09-26-2006

I guess I will just give it a try. All my cpe's will be cisco.