Can't site-to-site VPN with host name on ASA 5505

tech.svcs · ‎02-05-2010

I have a site-to-site VPN that works when using static IP. I tried to use host name instead and it can't connect. The remote side where I made the change is an ASA 5505. The local side is an ASA 5520.

On the remote 5505 I made it a DNS client on the outside interface to the ISP's DNS. The remote 5505 can resolve the host name of the 5520.

On the remote 5505 I re-created the connection profile using the host name for the 5520. When I applied it, the message displays "...L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digitial Certificates and/or The peer is configured to use Aggressive Mode"

Since the IKE Negotiation options for Main or Agressive mode are removed from the ASDM GUI, I assume the 5505 is forced into Agressive mode. On the local 5520 side I changed the connection profile for IKE Negotiation to Agressive mode. (not sure if that was necessary)

When I ping from a host on the remote 5505 side I see this mesage on the 5505;

IKE Initiator unable to find policy: Intf NP Identity Ifc, inside, Src: 172.16.201.20, Dst: 192.168.1.50

I've deleted and re-created the profile, rebooted the 5505, turned off PFS, nothing.

Anyone know what I'm missing?

And, is the above (using a host name instead of IP address) only possible using certificates?

Thx,

Ivan Martinon · ‎02-09-2010

As the message says, only with Digital certificates can you use Names in the tunnel group or with Aggressive mode, in the case of Aggressive mode it will only used when the ASA is configured as EZVPN client, in this case the remote ASA. If the configuraiton is for a lan to lan and it needs to be like that you can only use certificates to use the name.