cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
649
Views
0
Helpful
7
Replies

ASA more than one pre-shared with dynamic crypto map

r.spiandorello
Level 1
Level 1

Hi, how to have more than one pre-shared for dynamic crypto map, in ASA ?

I need a different pre-shared, one for every hub router

thanks

7 Replies 7

andrew.prince
Level 10
Level 10

This is not possible - you can only have 1 dynamic l2l profile with 1 psk

HTH>

thank you, is that limit still present in ASA 8.2(1) ?

Patrick0711
Level 3
Level 3

In dyanmic l2l configurations, the defaultl2l group is used to bind the pre-shared key to the unknown initiator IPs.

Only one pre-shared key can be set in the defaultl2l group.

This behavior is the same in 7.x and 8.x code.

Hi, I'm trying to identify the peer with the name instead of the IP.

So, I could bind every name of remote peer with a tunnel group.

You could try using "crypto isakmp identity hostname" on the dynamic ASA's, and make sure the name matches up with the tunnel-group name.

If the IP's are not changing on the dynamic hosts, you could use the IP in the tunnel-group as well, to see if it lands on the TG correctly.

To see what the ASA is doing, enable debugs:

debug cry isa 200

debug cry ips 200

Preshared keys no longer work when hostname is sent as the identity; thus, hostname as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.

HTH>

ISAKMP identity hostnames CAN be used with pre-shared keys, both in aggressive and main mode. However, you can only identify the pre-shared key by IP address when using main mode since the ID info is sent in the last encrypted main-mode exchange.

If the remote client is able to initiate the IKE Phase 1 negotiation in aggressive mode, you would theoretically be able to use the ISAKMP identity hostname to identify the pre-shared key. This is the basis of all remote-access IPSEC VPNs on both the PIX and ASA.

Now, whether or not the ASA will support this type of configuration is another story. I've never tested this type of config, however, it would be theoretically possible as defined by the IKE RFC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: