ASA more than one pre-shared with dynamic crypto map

Unanswered Question
Sep 24th, 2009

Hi, how to have more than one pre-shared for dynamic crypto map, in ASA ?

I need a different pre-shared, one for every hub router

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Patrick0711 Fri, 10/02/2009 - 15:18

In dyanmic l2l configurations, the defaultl2l group is used to bind the pre-shared key to the unknown initiator IPs.

Only one pre-shared key can be set in the defaultl2l group.

This behavior is the same in 7.x and 8.x code.

r.spiandorello Fri, 10/02/2009 - 22:28

Hi, I'm trying to identify the peer with the name instead of the IP.

So, I could bind every name of remote peer with a tunnel group.

auraza Thu, 10/08/2009 - 14:03

You could try using "crypto isakmp identity hostname" on the dynamic ASA's, and make sure the name matches up with the tunnel-group name.

If the IP's are not changing on the dynamic hosts, you could use the IP in the tunnel-group as well, to see if it lands on the TG correctly.

To see what the ASA is doing, enable debugs:

debug cry isa 200

debug cry ips 200

Preshared keys no longer work when hostname is sent as the identity; thus, hostname as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.

HTH>

Patrick0711 Sun, 10/11/2009 - 09:07

ISAKMP identity hostnames CAN be used with pre-shared keys, both in aggressive and main mode. However, you can only identify the pre-shared key by IP address when using main mode since the ID info is sent in the last encrypted main-mode exchange.

If the remote client is able to initiate the IKE Phase 1 negotiation in aggressive mode, you would theoretically be able to use the ISAKMP identity hostname to identify the pre-shared key. This is the basis of all remote-access IPSEC VPNs on both the PIX and ASA.

Now, whether or not the ASA will support this type of configuration is another story. I've never tested this type of config, however, it would be theoretically possible as defined by the IKE RFC.

Actions

This Discussion