10-31-2008 08:22 AM - edited 02-21-2020 04:00 PM
Hi,
There is a document on Cisco website
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrlres.html
explaining that while configuring a static crypto map and peers instead of peer IP address we can specify a FQDN following with "dynamic" command. I have been trying this option and no luck. My VPN endpoint (routers 2611XM and 831) do resolve each other name with a DNS server but when it's coming to apllying crypto maps to the interfaces I get the following error message:
ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]
So to speak no SAs are being established and IPSec tunnel failes to come up.
Anybody tried that and had the same problem? I'd appreciate your help on that.
Thanks,
Remi
Solved! Go to Solution.
11-14-2008 04:15 AM
What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.
11-14-2008 04:15 AM
What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.
11-14-2008 07:35 AM
Exactly, I was using pre-share key authentication. I am in process of deploying certs to see how it's gonna work.
Thanks for your help.
Remi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide