Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
1
Replies

VTI ipsec question.

Go to solution
leandro roggerone
Level 1
Level 1

‎08-27-2013 05:33 PM - edited ‎02-21-2020 07:07 PM

Trying to set an ipsec tunnel , i was reading some articles on the web like:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-ipsec-virt-tunnl.html

I was used to set up ipsec sessions using the crypto map concept.

So  my question is how do I especify the "isakmp policy" that I want to use for phase 1 using the tunnel concept.

Lets suppose I have several ipsec sessions running and I need differents isakmp policies, before I used to do:

crypto isakmp policy 1                                                       USED BY VPN 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20                                                       USED BY VNP 2

encr 3des

authentication pre-share

group 2

crypto isakmp key YYYYYY address XXXXXXX

crypto isakmp key YYYYYY address XXXXXXX

.

.

crypto map  CRYPTO 1  ipsec-isakmp

description "VPN1"

set peer XXXXXXX

set transform-set TRAN1

match address XXX

crypto map CRYPTO 20 ipsec-isakmp                     USING "20" SECUENCE NUMBER, POLICY 20 IS ASSIGNED.

description "VPN2"

set peer XXXXXXX

set transform-set TRANS2

match address XXXX

Any help would be great.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-27-2013 11:48 PM

The concept of isakmp policies is tha same as before with crypto maps. And you can also mix VPNs with crypto maps and VPNs with VTIs on the same router.

So in your example if you are the initiator, both policies (well, both are the same what doesn't make any sense) are sent to the peer as a suggestion and the responder will (hopefully) choose one based on the priority (lower numbers have higher priority). That is independent of the tunnel type.

What often changes in modern deployments is, that the PSKs are not configured in the global config, but in crypto keyrings that could be matched by isakmp profiles:

crypto keyring STATIC-VPN

  pre-shared-key address 198.51.100.10 key cisco1234

  pre-shared-key address 192.0.2.10 key cisco456

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Karsten Iwen
VIP
VIP

‎08-27-2013 11:48 PM

The concept of isakmp policies is tha same as before with crypto maps. And you can also mix VPNs with crypto maps and VPNs with VTIs on the same router.

So in your example if you are the initiator, both policies (well, both are the same what doesn't make any sense) are sent to the peer as a suggestion and the responder will (hopefully) choose one based on the priority (lower numbers have higher priority). That is independent of the tunnel type.

What often changes in modern deployments is, that the PSKs are not configured in the global config, but in crypto keyrings that could be matched by isakmp profiles:

crypto keyring STATIC-VPN

  pre-shared-key address 198.51.100.10 key cisco1234

  pre-shared-key address 192.0.2.10 key cisco456

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents