The most suitable IPSec peer authentication for enterprise.

Unanswered Question
Jun 7th, 2007


we are considering IPSec deployment to all peers in an interprise network. What worries me in pre-shared key for peer authentication is scalability, but I do not see any way out, since all Cisco routers, I am aware of, do not maintain the clock, this way using PKI/CA is not an option.

The question is, are you aware of a way to have Cisco Router saves the clock on power reset, or any other way out.

Appreciate your input.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vkapoor5 Wed, 06/13/2007 - 11:05

When specifying the host name of a remote IPSec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPSec tunnel has been established. Deferring resolution enables the Cisco IOS software to detect whether the IP address of the remote IPSec peer has changed. Thus, the software can contact the peer at the new IP address. If the dynamic keyword is not issued, the host name is resolved immediately after it is specified. So, the Cisco IOS software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved. DNS resolution assures users that their established IPSec tunnel is secure and authenticated.


This Discussion