2.17 IOS ezVPN server using VTI

Hi All,

I would like to post what I experienced in this task.

When we configure a new isakmp profile there is a warning :
% A profile is deemed incomplete until it has match identity statements

It is pretty straightforward that in this task we configure the identity as the group EZVPN.

What was not straightforward for me, what happens if I have multiple groups. In the real world usually that is the case. Do I need to configure more profiles if the settings are similar? What will happen with the client configuration group option?

I configured two groups :

crypto isakmp client configuration group EZVPN1
 pool EZ1
 key cisco1
crypto isakmp client configuration group EZVPN2
 pool EZ2
 key cisco2

If I want to use the same isakmp profile for these groups I can add as many match identity statements as I want (probably there is a max limit).

crypto isakmp profile EZ_PROF
 match identity group EZVPN1
 match identity group EZVPN2
 ..

 In this case, both groups will use the same isakmp profile. They can connect to the server and the server will automatically select the appropriate configuration group if we don't specify anything specific under the profile. EZVPN1 will use the config group EZVPN1 and EZVPN2 will use the config group EZVPN2.

If we add a specific configuration group it will be used for any matching identity.

crypto isakmp client configuration group EZVPN1_2
 key cisco12
 pool EZ12

crypto isakmp profile EZ_PROF
 match identity group EZVPN1
 match identity group EZVPN2
 client configuration group EZVPN1_2

EZVPN1 will be authenticated with the EZVPN1 key, then configured with the EZVPN1_2 group settings. EZVPN2 will be authenticated with the EZVPN2 key with the EZVPN1_2 settings.

---------------------------

Going back to the original IE task, if I don`t want to use a different configuration group i can leave the 'client configuration group X' line out from the isakmp profile. It will still work.

Best regards,

Robert



 

Sign In or Register to comment.