Problem with isakmp identity

Unanswered Question
Apr 6th, 2009

I have a problem that I think is pointing back to the isakmp identity being set to hostname on an ASA.

I have configured ezvpn on a router, but it won't connect to an ASA. I can use the same groupname and password that I'm using in the router in the software client and it works fine. I configured another ASA with the crypto isakmp identity hostname, and the same thing happens. It says that none of the policies match. If I change the identity to address on the test ASA, I can connect with no problems.

I haven't changed the isakmp identity on the production one because I have sites that are connecting to us via ASAs and software clients (vendors and users). I have a domain name that resolves to two public addresses for vpn connectivity, and this is why I believe hostname was used. The ASA has a public address, but it can be natted to another address via a Fatpipe. Is there any workaround that I can do on the router, and if not, is there any bad effect on changing the identity on the ASA to address being that the public address could be natted to a different public address?

I've got a tac case opened on this, but they haven't been able to help me.

Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Wed, 04/08/2009 - 06:24

John,

isakmp identity is used to identify the peer connection, when defined as hostname you would tipically expect the remote peer to use certificates which would have the hostmake for the peer. If you are concerned about your clients not connecting (not to worry unless certs are used) you can set the identity as "auto".

Actions

This Discussion