10-31-2008 08:22 AM - edited 02-21-2020 04:00 PM
Hi,
There is a document on Cisco website
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrlres.html
explaining that while configuring a static crypto map and peers instead of peer IP address we can specify a FQDN following with "dynamic" command. I have been trying this option and no luck. My VPN endpoint (routers 2611XM and 831) do resolve each other name with a DNS server but when it's coming to apllying crypto maps to the interfaces I get the following error message:
ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]
So to speak no SAs are being established and IPSec tunnel failes to come up.
Anybody tried that and had the same problem? I'd appreciate your help on that.
Thanks,
Remi
Solved! Go to Solution.
11-14-2008 04:15 AM
What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.
11-14-2008 04:15 AM
What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.
11-14-2008 07:35 AM
Exactly, I was using pre-share key authentication. I am in process of deploying certs to see how it's gonna work.
Thanks for your help.
Remi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: