CartYou can think of an ISAKMP profile as a modular entity that can control various aspects of a VPN connection. You can use an ISAKMP profile for VRF-Aware IPsec configurations, VPN QOS configurations, and in managing certificates.
So the first question we can address is this:
When I’m taking the lab exam how do I know when to use an ISAKMP profile?
First off, consider this; Does this router have more than one IPsec connection that will need me to have different phase 1 parameters negotiated. If the answer is “yes,” then you’ll probably be using an ISAKMP profile for the task.
For Example: If you have a L2L and an EasyVPN connection to the same router you might want to use an ISAKMP profile.
Once you determine that you want to use an ISAKMP profile you next need to have some familiarity with how they work and are matched. We’ll examine how they match on connections that we initiate.
An ISAKMP profile can be matched in two differnt ways.
- For intiating connections
- For terminating connections
When using and ISAKMP profile for initiating connections, the match
statement has no affect. This is because the match statement is only used for incoming connections. But, you’ll notice when you configure an ISAKMP profile that it is deemed “incomplete” until you have a match statement.
Router(config)#crypto isakmp profile MYPROFILE
% A profile is deemed incomplete until it has match identity statements
Router(conf-isa-prof)#
So what do you do? The simple solution is that you add a match statement for the profile to be functional. In fact, your match statement could be anything for example::
match identity address 0.0.0.0 0.0.0.0
Another thing you’ll notice is that until you have a match command you can type additional commands but some of them will be ignored. Note the following configuration.
Router(conf-isa-prof)#local-address Loopback0
Router(conf-isa-prof)#
*Mar 11 23:12:23.386: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
Router(conf-isa-prof)#client auth
Router(conf-isa-prof)#client authentication ?
list AAA authentication list to use
Router(conf-isa-prof)#client authentication list AAA
Router(conf-isa-prof)#
Router#sh run | sec isakmp crypto isakmp profile MYPROFILE Router#Router#sh cry isa profile ISAKMP PROFILE MYPROFILE Ref Count = 1 Identities matched are: Certificate maps matched are: keyring(s): <none> trustpoint(s): <all> Interface binding: Loopback0 (0.0.0.0:global) Router#
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#crypto isakmp profile MYPROFILE % A profile is deemed incomplete until it has match identity statements Router(conf-isa-prof)#match identity address 0.0.0.0 Router(conf-isa-prof)#end Router#
Next we show the profile:
Router#sh run | sec isakmp
crypto isakmp profile MYPROFILE
match identity address 0.0.0.0
client authentication list AAA
local-address Loopback0
Router#
Router#sh cry isa profile
ISAKMP PROFILE MYPROFILE
Ref Count = 1
Identities matched are:
ip-address 0.0.0.0
Certificate maps matched are:
keyring(s): <none>
trustpoint(s): <all>
Interface binding: Loopback0 (0.0.0.0:global)
So now the configuration takes effect. Certainly it’s minute details like this that can make all the difference in your time management on lab day.
Here is a list of useful links related to ISAKMP profiles. I recommend spending the time to become familiar with the behavior of ISAKMP profiles. Once you get familiar you’ll probably really enjoy using them.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
-Regards
Brandon Carroll – CCIE #23837
Senior Technical Instructor – IPExpert
Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
@Paul
Thats the difference between inbound and outbound matching. It can receive a connection but cannot initiate.
Note that the commands that are not enabled until the match command is present are important to initiating a connection.
Is the match required on initiate only profiles? I’ve seen them work on outbound connections attached to Crypto Maps even when the statement below is present.
% A profile is deemed incomplete until it has match identity statements
Great work Brandon!
I cant avoid thinking that it was my isakmp-profile-related question on OSL that triggered the creation of this post. I love this interaction-thing!
Br Jimmy
Glad you find it useful.
Great Article Brandon. I use ISAKMP profiles in almost all the VPN configs unless the task explicitly states that they shouldn’t be used.