Asa and real-time resolution for IPSec Tunnel Peer.

microlab1 · ‎05-29-2007

Can I configure ASA to use real-time resolution for IPSec Tunnel Peer?

I found that Cisco Ios 12.4 has command set peer with switch dynamic.

Has Asa something similar?

ggilbert · ‎05-29-2007

Tihomir,

What do you mean by "real-time resolution" for IPSec tunnel peer?

Do you mean to say that the remote site is getting a DHCP address and you do not the IP address when it is trying to connect?

If that is the case, then ASA can terminate a dynamic IPSec tunnel for the end peer.

Is this what you are looking for?

Let me know.

Cheers

Gilbert

microlab1 · ‎05-29-2007

Yes, remote site is connected via DSL line and has dynamic IP address.

That address can be registered using dynamic DNS service, so remote site has only FQDN (not static IP address).

Is it possible to use that dynamic DNS address as remote peer address?

Regards,

Tihomir

ggilbert · ‎05-29-2007

Tihomir,

You have to use certificates in that scenario.

Your isakmp identity matching should be done by hostname.

Your ASA and the remote site will have to be authenticated and enrolled to a CA server so that the key exchange negotiations will happen using certificates and not pre-shared keys.

Hope this explains.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080637127.html#wp1052788

Rate this post, if it helps!!

Cheers

Gilbert

microlab1 · ‎05-29-2007

Thank you for your answers!

Is it possible to use pre-shared keys instead of certificates?

ggilbert · ‎05-30-2007

If the remote site has to be connected through a FQDN, then you need to use certificates. Pre-shared keys will not do the trick.

Reason: In the certificates, the OU will match to the group through the group-matching scenario and can be tagged to a tunnel-group.

Hope this explains.

Rate this post, if it helped.

Cheers

Gilbert