There is a document on Cisco website
explaining that while configuring a static crypto map and peers instead of peer IP address we can specify a FQDN following with "dynamic" command. I have been trying this option and no luck. My VPN endpoint (routers 2611XM and 831) do resolve each other name with a DNS server but when it's coming to apllying crypto maps to the interfaces I get the following error message:
ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]
So to speak no SAs are being established and IPSec tunnel failes to come up.
Anybody tried that and had the same problem? I'd appreciate your help on that.
What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.