Problem with isakmp identity

Unanswered Question
Apr 6th, 2009

I have a problem that I think is pointing back to the isakmp identity being set to hostname on an ASA.


I have configured ezvpn on a router, but it won't connect to an ASA. I can use the same groupname and password that I'm using in the router in the software client and it works fine. I configured another ASA with the crypto isakmp identity hostname, and the same thing happens. It says that none of the policies match. If I change the identity to address on the test ASA, I can connect with no problems.


I haven't changed the isakmp identity on the production one because I have sites that are connecting to us via ASAs and software clients (vendors and users). I have a domain name that resolves to two public addresses for vpn connectivity, and this is why I believe hostname was used. The ASA has a public address, but it can be natted to another address via a Fatpipe. Is there any workaround that I can do on the router, and if not, is there any bad effect on changing the identity on the ASA to address being that the public address could be natted to a different public address?


I've got a tac case opened on this, but they haven't been able to help me.


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thotsaphon Sun, 04/12/2009 - 11:00

John,

I'm not sure what you are trying to accomplish.

In case the HQ has only one public address. But you want to utilize 2 links by doing NAT for 2 ISPs.

Well, It's a good idea to do that. There are limitations I'm concerned about.


ASA

- Can't solve a hostname by using DNS. It can refer peer-name from a "name" command.

- Can't connect 2 links/ISPs at the same time because interesting traffic are overlapped when configuring 2 instances. Device will get confused

- Can do load-sharing such as SiteA uses ISP1(NATed at HQ) if ISP1 went down then go to ISP2(NATed at HQ).


Router

- Can play around with DNS. You can specify peer as a name. Name can be resolve by DNS. If I have 10 branch sites and a device acting as DNS that will provide 2 public addresses(As round robin or something like that) when the people/10 branch sites are asking the IP address for doing peer. 5 branches should use ISP1. Other 5 branches should use ISP2.

- Can't connect 2 links/ISPs at the same time because interesting traffic are overlapped when configuring 2 instances.


Note: What the router can do is to solve the name. After that going to build the tunnel. You need the third device to reply 2 public ip addresses. What about FATPIPE? Let's check it out.



HTH,

Toshi

Actions

This Discussion