Selection by IKE tunnel profile

Hello

I see a new DMVPN cloud/double hub network.

The spoke routers will be

  1. Two clouds DMVPN (red and blue)
  2. Two interfaces, one for each cloud DMVPN tunnel. (tunnel10 and tunnel11)
  3. IKEV2 only.
  4. A single interface into the Internet in it's own FVRF. It is shared by the two Tunnels
  5. Certs of PKI for authentication.   Certs all come from the same CA
  6. We will have a few dynamic addresses... We do not use any criterion based IP for crypto or other

It works fine if I use the keyword 'shared' with the tunnel protect order in the tunnels.

But I need to make it work with the new tunnel IKE based profile selection.

My question is what that 'fit' the criteria to use so I can identify unique RED or BLUE spokes in a profile of IKE.

The rays will use a common domain so I can't use the fqdn or by e-mail to them to identify.

I can't match on certificate because it is also common for the rays and will be used for the RED and BLUE

SO I'm stumped on what criteria of correspondence to use!

Hello, Wes Smith.

You plan to use the same certificates for the RED and BLUE? If it's not the same certeficate you can try to use an ORGANIZATIONAL unit to separate them.

Tags: Cisco Security

Similar Questions

  • Select the user's profile

    IV been with FF on my lappy for years, now all of a sudden, when I try to start FF he asks me select a profile of user the following options:--

    - default
- default-<number>

    This annoyed me no end, its bad enough that FF will update the controls and settles on the startup, but now this?

    Occurred for the FF developers that when pop users open a browser, we need to snap open, we have always ridiculous wait time amounts so that it starts. What happens if Im check the timetables of the bus - Id miss the bus. Or the time Iv in conference and needed a quick Web page - embarrassed! Both need FF Iv times and she could not be there for me in time. If I wanted a huge delay and/or additional tasks between clicking on open and opening then Id of course get some ridiculous instead adobe products.

    in any case as much as I like and love FF I have unfortunately closed to him for this reason and use Chrome instead. Ill check every now and then to see if the choice of a user profile error has disappeared.

    Thank you for breaking my heart.

    I solved my problem by changing chrome.
    Thanks for your very technical responses and imagine the simple question of why my browser always let me down when I need it in an emergency by performing updates or some other rubbish at the start.

  • Its Smartphones Custom Contact SMS blackBerry overrides his Email selected in the active profile

    OK - I've been googlig it ALL morning. I would like to know if there is a fix for this.

    I put a bunch of ringtones customized for friends and family, as I always have with my previous Blackberry (8310, 8900 and 9000) devices...

    With the 9700 When you change a ringtone to contacts, you will need to change the sound of their messages. Now I didn't have different sounds for different contacts when it came to mail, so, I selected just the noise I had chosen when customizing my normal profile in the hope that all texts of all users play the same sound. Text messaging works very well. However, emails... not so much. Because I HAD to change their sound messages, now - whenever I get an email from one of the contacts that have a custom ringtone, the tone of the text goes off instead of the email, I chose! I have emails and texts is going to separate folders... I guess this happens because the custom only option it gives me is to change users 'message' noise and not "sms or e-mail.

    I want to have custom ringtones for people when they call me and a tone for all sms/mms and a tone for all the emails. I am angry.

    I know that other people have this problem... Help someone. I want to throw my phone = /.

    [email protected]

    PIN: xxxxxxxxxx

    EDIT: Personal information removed - information such as the PIN & personal e-mails are prohibited for safety reasons. Please private Message (MP) this user.

    Hello katierestes,

    This feature is by design, custom messages alert applies to all messages (email, SMS, MMS), there is no option to specify TEXT of e-mail when you customize the alert contact.

  • AnyConnect tunnel-group automatic assignment without selecting any group-tunnel-group-list alias and user-group strategy.

    Objective is that the anyconnect user must select group-alias, so that when a user enters his username and password he must go to his political group and tunnel-group specific. as I removed this command in webvpn 'no tunnel-group-list don't enable '. This I can not connect (user does not authenticate).

    1 - my question is why his past does not?

    Solution:

    If I keep only a single tunnel-group by default and make several group policies and assign to each user with his specific group policy that it works. in user attribute means I have only question following the commands it works, but if I put "group-lock value test-tunnel" that it did not identify.

    Please explain why.

    WebVPN

    allow outside

    limit the cache-fs 50

    SVC disk0:/anyconnect-win-3.0.10055-k9.pkg 1 image

    enable SVC

    internal strategy of group test-gp

    attributes of the strategy of group test-gp

    VPN-tunnel-Protocol svc webvpn

    the address value test-pool pools

    username, password test test

    username test attributes

    VPN-tunnel-Protocol svc

    group-lock value test-tunnel

    Strategy Group-VPN-test-gp

    tunnel-group test-tunnel type remote access

    attributes global-tunnel-group test-tunnel

    Group Policy - by default-test-gp

    tunnel-group test-tunnel webvpn-attributes

    allow group-url https://192.168.168.2/test

    Yes, you have the right solution. You only need to create 1 group of tunnel and multiple group policy. Under the attribute of the user, you re then group policy of vpn that you want the user assigned too.

    You can also authenticate users against AD and configure ldap attribute map to map the user to a specific group policy automatically.

    Here is an example of configuration if you happen to have the AD and will authenticate against AD:

    http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

    Hope that helps.

  • How to select a color printer profile in Lightroom.

    I have a couple of profiles of color icc printer installed in Windows, and I can see them in the color management module. In Lightroom, when I want to print to a jpeg file, and then select the color management, I get a few choices but not the profiles that I installed. If I choose ONE, I'm supposed to see a list of my other profiles, but do not see. What can I do? I deleted and reinstalled the profiles, but that does not change. Yjamks.

    LR doesn't show you what profiles are installed on your computer.

    Under LR / Print / print / profile: click the other...

    On the popup put a check mark in the display profiles include at the bottom and you should see a list with boxes to tick, that you can select.

    If you do not see this, then make a print screen and show us what you see by including this print-screen in a message, here.

    I think there are a lot of other profiles in the example above, because the user providing screenshots has also installed Photoshop that installs a certain other profiles.  If you have installed LR there that many others, but I expect to see the RGB those you already have visible with check marks next to them already.

  • Selection of the target profile?

    I use win 7-64. I have a Sony (Zeiss) 55 mm/1.8 ZA lens. Camera Sony Alpha 7R (full screen)

    I start the Sony FE profile download and select the lens. Normally, it works well and Lightroom comes automatically with the correct target/profile.

    Sometimes I download new photo (exactly like I always do) and the selection of Sony FE lens is not found. Only Sony and automatically zoom is selected and nothing else is available to choose. That's why Lightroom automatically select the lens bad nothing else is available, while most of the time it works perfectly and nothing changed in the download procedure.

    Any solution, bug?

    Yes indeed, the answer is very simple, but someone needs to put you on the right track! Thank you for that.

    I'll look into the details.

    For what is Hasselblad is I look further. I can build my own one, but it is very difficult to make a good calibration, particularly on extreme good lenses like Zeiss from Hasselblad lenses.

    In any case, I'm happy to close this call.

  • On DMVPNs selective IPSec encryption

    Hello

    I have a DMVPN with two rays on a MPLS-L3-IPVPN network. IPSec over GRE profiles using crypto. Works very well. Now, he only need to encrypt all traffic except EF DSCP. Tried with the help of ACB defining IP-Next Hop for EF-packages and just normal dug routing for all other types of traffic.

    My question is, I know cryptographic cards that use ACLs can selectively encrypt traffic through the IPSec/GRE tunnels. Cryptographic profiles don't seem to have this feature. Is there another way to do this?

    A snip Config by couple spoke it as below.

    ===============

    interface GigabitEthernet0/0.1
    DESC LAN i / f
    IP 10.10.10.1 255.255.255.0
    political intellectual property map route ACB

    interface Tunnel100
    IP 172.16.254.13 255.255.254.0
    no ip redirection
    property intellectual PNDH card 172.16.254.1 103.106.169.10
    map of PNDH IP multicast 103.106.169.10
    PNDH network IP-1 id
    property intellectual PNDH nhs 172.16.254.1
    property intellectual shortened PNDH
    KeepAlive 10 3
    source of tunnel GigabitEthernet0/1.401
    multipoint gre tunnel mode
    key 1 tunnel
    Profile of tunnel DMVPN-Crypto ipsec protection
    end

    GIE Router 1
    no car
    NET 172.16.254.0 0.0.1.255
    EIGRP log-neighbor-warnings
    EIGRP log-neighbor-changes
    ! - router id
    NET 10.10.10.0 0.0.0.255

    ACB allowed 10 route map
    ACB match ip address
    IP 11.2.100.2 jump according to the value
    !
    ACB allowed 20 route map

    ACB extended IP access list
    permit icmp host 10.10.10.5 host 15.1.1.1 dscp ef
    allow icmp host 10.10.10.5 host 15.1.1.1 dscp 41
    deny ip any any newspaper

    ===============

    Note: the routing table contains only a default route learned via EIGRP. Thus, if the ACB 10 past, policy would transmit to the Next-hop (PE). Or would otherwise use 0/0 and route thro' the tunnel.

    Thanks in advance!

    See you soon
    Aravind

    With DMVPN, no.  You will need to return to the use of just cryptographic cards, only using access lists to control what is and is not encrypted.

    If the "EF" traffic was dedicated VoIP subnets so you would have more options, you can choose everything just don't not to route these subnets above the Tunnel.

  • AnyConnect with several profiles of connection and menu drop-down

    Hello world

    I configured anyconnect with two profiles of connection and group policies.

    Connection profiles and group policy have the same host name say xyz.com.

    need to know which configuration should I do so that when I connect it should show

    under option group choose the connection profile from the menu drop-down?

    Concerning

    Mahesh

    Mahesh,

    When you build the connection on the SAA profile there is a section in the Advanced section of "group Alias/group URL. Complete on the names you want and enable them. You should then see the two selections on the AnyConnect profile drop-down list.

    In the cli, it looks something like:

    tunnel-group Group1 webvpn-attributes
    enable-alias group Group1

    tunnel-group group2 webvpn-attributes
    Group-alias group2 enable

  • Enable ASA 9.1 problems with tunnel-group-list

    Hello!

    I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs.  I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.

    Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.

    An excerpt from the config.

    Moreover, I had the menu work previously when I used group instead of group-URL aliases.  However, the phones seem to require the URL group.  Now that I have those configured, the menu does not work.  If I get the full URL in the AnyConnect window, both URLs work, and I can connect.

    Thank you in advance for any suggestions you may have!

    Deb

    WebVPN

    allow outside

    AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

    AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

    AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

    AnyConnect enable

    tunnel-group-list activate

    ABC Group-Policy internal

    ABC Group Policy attributes

    value of server WINS 10.10.16.17 10.10.16.12

    value of 10.10.16.17 DNS server 10.10.16.12

    VPN - connections 3

    SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

    Split-tunnel-policy tunnelall

    field default value abc.com

    the address value AnyConnectPool pools

    WebVPN

    activate AnyConnect ssl dtls

    AnyConnect Dungeon-Installer installed

    time to generate a new key ssl AnyConnect 1440

    AnyConnect ssl generate a new method ssl key

    AnyConnect client of dpd-interval 5

    dpd-interval gateway AnyConnect 30

    AnyConnect ask none

    internal strategy of group ABC - STG

    ABC - STG group policy attributes

    value of server DNS 8.8.8.8

    VPN - connections 3

    SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless

    Split-tunnel-policy tunnelspecified

    Split-tunnel-network-list value Split-Tunnel-encrypt-ACL

    field default value abc.com

    the address value AnyConnectPool pools

    WebVPN

    activate AnyConnect ssl dtls

    AnyConnect Dungeon-Installer installed

    time to generate a new key ssl AnyConnect 1440

    AnyConnect ssl generate a new method ssl key

    AnyConnect client of dpd-interval 5

    dpd-interval gateway AnyConnect 30

    AnyConnect ask none

    type tunnel-group Split-Tunnel-Group remote access

    attributes global-tunnel-group Split-Tunnel-Group

    address pool AnyConnectPool

    Group Policy - by default-ABC-STG

    tunnel-group Split-Tunnel-Group webvpn-attributes

    allow group-url https://asa.abc.com/ABC-STG

    tunnel-group ABC - Tunnel - type remote access Group

    attributes global-tunnel-group ABC - Tunnel - Group

    address pool AnyConnectPool

    Group-ACTIVE DIRECTORY authentication server

    Group Policy - by default-ABC

    password-management

    ABC - Tunnel tunnel-group - webvpn-attributes Group

    allow group-url https://asa.abc.com/ABC

    Hello

    You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.

    tunnel-group webvpn-attributes
    Group-alias enable
    Group-url help

    Ref:- http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • Love tunnel SAs negotiated, but do not survive.

    Background

    We have a stable P2P GRE + IPSec configuration to multiple rays using signatures rsa for authentication ISAKMP and EIGRP as the routing protocol. We are in transition to a love (DMVPN) configuration. GRE P2P tunnel interfaces are administratively shutdown, cryptographic cards on physical interfaces have been removed and the cryptographic database has been erased.

    Question

    When implement us the interfaces of tunnel love (Star), we are able to complete the ISAKMP phase I and II (briefly). However, ~ 1-1/2 minutes more, we see a message from debug on the hub, such as:

    13:56:49.601 Jul 21 EDT: IPSEC (cleanup_tun_decap_oce): Unlock and null to Tunnel0 tun_decap_oce 86742E48 of 86FB990C of ident

    ... and then the IPSec SAs are deleted, the tunnel down, IKE_PHASE2_DEL and IKE_PHASE1_DEL messages are generated and start with phase I ISAKMP negotiation.

    Anyone know what the 'CEO '?

    Highlights of debugging (ISAKMP and IPSec)

    13:55:13.188 Jul 21 EDT: ISAKMP: (2597): SA authentication status: authenticated
    13:55:13.236 Jul 21 EDT: ISAKMP: (2597): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE
    13:55:13.356 Jul 21 EDT: IPSEC (create_sa): its created.
    13:55:13.356 Jul 21 EDT: IPSEC (create_sa): its created.
    13:55:13.356 Jul 21 EDT: % CRYPTO-5-SESSION_STATUS: Crypto tunnel is MOUNTED.  Peer : 500 Id: spoke.domain.null
    13:55:13.356 Jul 21 EDT: % DMVPN-7-CRYPTO_SS: Tunnel0- socket is in PLACE
    13:55:13.700 Jul 21 EDT: ISAKMP: (2597): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    13:56:49.601 Jul 21 EDT: IPSEC (cleanup_tun_decap_oce): Unlock and null to Tunnel0 tun_decap_oce 86742E48 of 86FB990C of ident
    13:56:49.601 Jul 21 EDT: IPSEC (delete_sa): deletion of the SA.
    13:56:49.601 Jul 21 EDT: IPSEC (delete_sa): deletion of the SA.
    13:56:49.601 Jul 21 EDT: % CRYPTO-5-SESSION_STATUS: tunnel Crypto is out of SERVICE.  Peer : 500 Id: spoke.domain.null
    13:56:49.601 Jul 21 EDT: ISAKMP: (2597): entry = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
    13:56:49.605 Jul 21 EDT: ISAKMP: (2597): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

    Note: A more complete debug output is attached.

    General comments (sh crypto isakmp, ipsec crypto sh its)

    ISAKMP Security Association reached a State of QM_IDLE and active status. However, the SA is removed and a new is generated on the breast of ~ minute.

    IPSec security associations are negotiated on the hub and the spokes. However, only speak it a program package, and only the hub has decaps. Wireshark confirms that the hub does not all ESP packets on the wire. The IPSec SAs are deleted and the new spawn every minutes ~ 1-1/2.

    See the output of the command

    hub #sh cry ipsec profile
    Profile IPSEC DMVPN
    Life safety association: 4608000 Kbytes / 3600 seconds
    Answering machine-only (Y/N): N
    PFS (Y/N): Y
    Diffie-Hellman group: group2
    Transform sets = {eni-xfm-des: {esp - esp-sha-hmac}, eni-xfm-3des: {esp-3des esp-sha-hmac}}

    hub #sh cry map
    Card crypto isakmp-65536-"Head-Tunnel0-0" ipsec
    Profile name: DMVPN
    Life safety association: 4608000 Kbytes / 3600 seconds
    Answering machine-only (Y/N): N
    PFS (Y/N): Y
    Diffie-Hellman group: group2
    Transform sets = {eni-xfm-des: {esp - esp-sha-hmac}, eni-xfm-3des: {esp-3des esp-sha-hmac}}

    Card 'Head-Tunnel0-0' 65537-isakmp ipsec crypto
    Map is a PROFILE INSTANCE.
    Peer =.
    Extended IP access list
    access-list allow accord host host
    Current counterpart:
    Life safety association: 4608000 Kbytes / 3600 seconds
    Answering machine-only (Y/N): N
    PFS (Y/N): Y
    Diffie-Hellman group: group2
    Transform sets = {eni-xfm-des: {esp - esp-sha-hmac}, eni-xfm-3des: {esp-3des esp-sha-hmac}}
    Interfaces with card crypto Tunnel0-head - 0:Tunnel0

    HQ-edg01 #sh cry session detail
    Current state of the session crypto

    Interface: Tunnel0
    Duration: 00:00:10
    The session state: UP-ACTIVE
    Peer: port 500 fvrf: (none) ivrf: (none)
    Phase1_id: spoke.domain.null
    DESC: (none)
    ITS IKE: local remote 500 500 Active
    Capabilities: (None) connid:2682 life time: 23:59:47
    ITS IKE: local remote 500 500 inactive
    Capabilities: (None) connid:2681 life time: 0
    FLOW IPSEC: allowed host 47 host
    Active sAs: 2, origin: card crypto
    On arrival: dec #pkts'ed 6 drop 0 life (KB/s) 4517257/3589
    Outbound: #pkts enc'ed drop 0 0 life (KB/s) 4517258/3589

    Material & IOS

    C1811 (hub) - c181x-advipservicesk9 - mz.124 - 24.T
    c1711 (spoken) - c1700-advipservicesk9 - mz.124 - 15.T9

    Follow the relevant parts of crypto configurations DMVPN (hub / talk):

    crypto ISAKMP policy 3
    BA 3des
    Group 2
    life 86399

    ISAKMP crypto identity hostname

    Crypto ipsec transform-set eni-xfm-3des esp-3des esp-sha-hmac
    transport mode
    Crypto ipsec transform-set esp eni-xfm-des-esp-sha-hmac
    transport mode

    Profile of crypto ipsec DMVPN
    3600 seconds, life of security association set
    the value of the transform-set eni-xfm-des eni-xfm-3des
    PFS group2 Set

    interface Tunnel0
    IP 255.255.255.0
    Protection ipsec DMVPN tunnel profile

    Note: PNDH, love, and no other settings have been chiselled.

    Any help would be appreciated.

    Best regards
    Mike

    You are right your comment.

    The previous interface of p-BRMS (in your case) can get his information in to

    the tunnel endpoint database (packages of controls tunnel) even if the

    p BRMS tunnel is stopped.  It is also in the code a GRE packet

    destined to the router will search a mathc with a p-BRMS tunnel before

    Love tunnels. If the GRE tunnel packets were getting "caught".

    by p-BRMS tunnel and then dropped.

    If I really want a GRE tunnel to be 'down', I'll remove the "source of the tunnel...". ».

    If I have two tunnels upwards at the same time, I do what you do, give

    each of them a different tunnel key or a different source of tunnel.

    Hope this helps to understand what was going on.

    Mike.

    PS. You should be able to mark it as answered present.

  • Display profile

    Hello

    I have an iMac 27 "3.4 Ghz Intel Core i7 (November 2011), OSX 10.11.6

    Since I have the pain my eyes (working too in front of the screen, even with low light and black background), I change the profile of the screen (System preferences/display/color).

    I create (calibration button) a new profile with less blue (which is the main problem for the eyes).

    It works but randomly (every x minutes) select System rear original profile.

    I have to select once again my profile regularly.

    I deleted the profile iMac (original profile), but it changes again to a profile much more blue in any case.

    Any idea of balance this problem? (I want to keep my profile)

    Thank you

    Ben

    Haveyou tried...

    / Users/username/Library/saved request State/com.apple.ColorSyncUtility.savedState

    To find out if it's the scale of the system or a specific user, try this...

    Open system preferences > users and groups, unlock it, click the "smaller", make a new admin account, log on & into the new account.

    It works in the new account?

  • Transfer logins again portable profiles?

    I just received a T420s to replace my T61. Is there an easy way to transfer all the profiles of wireless location from the old machine to the new machine? I use the logins on the two machines, both have the latest versions.

    Open the location profiles logins, and then select export only the profiles that you want to move to a file. On the new system you then just import them.

  • Custom storage profile-HDS.

    Could someone explain the process to apply the profile storage custom volume to the compellent?.

    Click on the top level of the navigation tree, then you should have the option "Set up my Volume Defaults". Select that and then the Advanced tab, check the box 'Allow the selection of the storage profile' and click OK. Who will show you profiles of storage in the storage section now. From there, you can create your own profiles.

  • Several profiles ASA

    So 1 ASA 5525

    Scenario: -.

    Currently user authenticate using their AD credentials in the box as the tunnel anyconnect pop arrives, I now need to add access via devices Mobile dial on demand. Of course the use of certificates for these devices is the answer, so I want to know is can I use a certificate for mobile devices and for other devices different authentication system. I know this must be possible but can not find the answer outside the performer one of the Warriors asa 2 for mobile authentication and the 2nd for mobile laptop, realizing I could user multiple contexts but it's a virtual solution from the solution box 2, ideally I would want a profile if a broken while he moves on test 2 If this authentication fails final is failure

    any thoughts?

    Currently, no EHT but we have a RADIUS

    Hi Gary,.

    Certificates for your mobile devices is a good way to do. Then you will need two different groups/connection tunnel profile. You are able to define URLS for different groups of tunnel, for example, your PC will use https://vpn.yourvpn.com/primary and Mobile will use https://vpn.yourvpn.com/mobile. Of course, you must disable the list feature in order to have an effective solution.

    Now, to avoid your mobile users to access https://vpn.yourvpn.com/primary , I will configure DAP (Dynamic Access Policy) rules to block mobile devices when they try to connect to the Group of false tunnel. Please refer to: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t4.

  • Display Dell Feature Request Manager: ability to associate an ICC profile preset and automatically switch

    I have a Dell U3014 and I love this monitor. I also like the display Manager software that allows me to quickly change the presets to monitor without messing around with the OSD or completely automatic based on the application that I use. The problem: many people, including that using end monitors need to render accurate colors and for this reason they calibrate/profile their monitors. Each preset needs that we present independently and has an associated ICC profile. Especially in windows, it is necessary to use an sRGB preset based for color unmanaged applications, while a wide range of predefined such as Adobe RGB is used on applications such as photoshop color management, lightroom etc. Manager display Dell offer a quick and elegant solution for the preselections, either by selecting a quick menu, either by automatically associating a preset for a given application (i.e. photoshop is enabled, go to Adobe RGB). It works very well, however the selection of the appropriate profile must be done manually and it's quite tedious (open the resolution of the screen change applet, click Advanced setting, open the color management applet, select the appropriate monitor and finally load the profile ICC proper). It's a lot of time and pain that could be completely and painlessly by DDM the automated solution: a small improvement to DDM may be in the form of a tab in color management, where an existing ICC profile may be associated with a given preset. If a preset has an associated ICC profile, DDM will load the appropriate corresponding ICC profile when it switches preset. Windows has API to load ICC profiles that are easy to use. I even tried to write my own software. Switching profiles is not complicated. What is difficult is to SDC/DI allows you to change the presets on the monitor. There is no free library to do that I could find. The company that makes this software to display for Dell Manager, EnTech sells libraries which SDC/DI but are more expensive that I can afford. I think to add such a device to DDM, would be an effort across very minor EnTech part, but the benefits for users would be great. If such a device would be helpful for you, or if you have any other suggestions please post them here. I hope that if there is an important need for it, Dell can ask EnTech to incorporate it into a future version of the MDD. Thank you.

    Thank you very much. It worked! Now, on the display manager, I have a small ICM button where I can link a CIM profile in a "Preset". It works beautifully. As a suggestion, it would be nicer to display in the ICM selection menu the name of the profile from its metadata rather than the file name of the profile itself as many profiling rather than application of the colour profile human-readable name in metadata and use a hex hash to force the user to open the applet from color correction to match the name of the file which is which. Also, the list is completed by the name of old profiles that have already been deleted. Whence the list?  These files are not in my windows/system32/spool/pilot/color directory more, are in the registry and also do not appear in the applet of color correction.

    Would be very happy to beta-test report and new updates.

    Thanks again for adding this feature. It is very useful

Maybe you are looking for