multiple crypto policies

[mwesche]

I am unable to establish phase 1 when attempting a second crypto isakmp policy

My first one is good, I am getting through phase 1 and two and routing encrypted packets fine. I created a second one the same way i did the first one. I have verified the peer address, encrytion types, group types, as well as the crypto access-lists with the user.

I debugged crypto isakmp and i see MM_NO_STATE when i attempt to ping from a valid ip source.

when I show crypto isa sa, i see that the second session is trying to establish sa's and i see MM_NO_STATE under the status.

The only thing i did differently in the second policy than from the first is that i specified a network address to network address format in my crypto-map access list. I used a host address-to-host address in my first policy. I saw a cisco document that said that either method is fine as long as they are mirrored on both sides. Any insight into the problem would be greatly appreciated.

 

[routerman]

Here is one example based on a configuration I applied recently. This one is 2 crypto maps on 2 sub interfaces.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key link1 address 10.255.254.170
crypto isakmp key link2 address 10.255.254.174

crypto ipsec transform-set map esp-3des

crypto map link1 10 ipsec-isakmp
set peer 10.255.254.170
set transform-set map
set pfs group2
match address list1
!
crypto map link2 10 ipsec-isakmp
set peer 10.255.254.174
set transform-set map
set pfs group2
match address list2
!
interface ATM2/0.1 point-to-point
ip address 10.255.254.169 255.255.255.252
pvc 50/32
protocol ip 10.255.254.170 broadcast
vbr-nrt 1920 1000 200
!
crypto map link1
!
interface ATM2/0.2 point-to-point
ip address 10.255.254.173 255.255.255.252
pvc 51/32
protocol ip 10.255.254.174 broadcast
vbr-nrt 1920 1000 200
crypto map link2

ip access-list extended list1
permit ip 128.65.0.0 0.0.255.255 172.22.251.0 0.0.0.255
permit ip 128.75.0.0 0.0.255.255 172.22.251.0 0.0.0.255
ip access-list extended list2
permit ip 128.65.0.0 0.0.255.255 172.16.36.0 0.0.0.255
permit ip 128.75.0.0 0.0.255.255 172.16.36.0 0.0.0.255


The ACL's need to mirror each other across the tunnel. Also I read the bit about not using the any keyword in the crypto acl's, tried it anyway and it didnt work

Hope this helps, if not let us have a look at your config.

 

[mwesche]

So if i am going to have multiple crypto maps they use the same crypto isakmp policy, unless the encryption, hash, groups are different, right?

I was creating a separate isakmp policy for each crypto map.
I'll try it with the user on the other end and let you know.

Thanks

 

[routerman]

You can have multiple isakmp policies, they negotiate end to end to find one that matches, most secure first.

In my application I had control of isakmp amd ipsec at both ends so decided to use one global policy even though I was using multiple interfaces.

Like all these implementations the final solution is down to individual requirememts.