Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2092
Views
0
Helpful
4
Replies

isakmp authentication problem using hostname instead of address

c0ppernic
Level 1
Level 1

‎02-25-2004 10:16 AM - edited ‎02-21-2020 10:09 AM

Hello all,

I having a problem tring to use a hostname in the isakmp authentication instead of an address.

Currently I'm authenticating using crypto isakmp key XXXXXXX address xxx.xxx.xxx.xxx, now instead of using the address I tried to setup a DNS entry to our DNS provider and use a hostname.

********** Router config **************

ip domain-name dns.com

ip name-server <Primary DNS address>

ip name0server <Secondary DNS address>

ip domain-lookup

crypto isakmp poilicy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key XXXXXXXX hostname dnsname.dns.com

***************************************

I can ping the name and it resolves to the proper IP address. If I trace the route they both correspond to the same number of hops.

Why does it work with the address and not the hostname?

At the moment there are no ACL's on the router. The other router that I'm authenticating with does have ACL's up.

Thanks

Labels:
0 Helpful
4 Replies 4

stomasko
Level 4
Level 4

‎02-26-2004 06:03 AM

Are you using the crypto isakmp identity hostname command? Check the command reference and the example below.

command

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_summary_chapter09186a00800eeaf5.html#5661

example

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094353.shtml

Hope this helps.

Steve

0 Helpful

c0ppernic
Level 1
Level 1
In response to stomasko

‎03-01-2004 12:30 PM

Thanks for the reply,

I tried added the:

crypto isakmp identity hostname

Still no luck. It works when I have the crypto isakmp address but as soon as I remove it and reload it won't sa.

Any other suggestions?

Here's the config again:

********************************************

ip domain-name domain.ca

ip name-server 24.xxx.xxx.1

ip name-server 24.xxx.xxx.1

!

ip dhcp pool dynamic

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group 2

request-dialin

protocol pppoe

!

chat-script default ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" ATDT\T" TIMEOUT

60 CONNECT \c

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key ABCDEFG address 24.xxx.xxx.12

crypto isakmp key ABCDEFG hostname isakmp1.domain.ca

crypto isakmp identity hostname

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map POS 20 ipsec-isakmp

description **** CONNECTION TO PRIMARY 7140 ****

set peer 24.xxx.xxx.12

set transform-set STRONG

match address ACL-CRYPTO-AMQUEST

**********************************************

Thanks!

0 Helpful

stomasko
Level 4
Level 4
In response to c0ppernic

‎03-02-2004 05:23 AM

The end you are connecting to needs to have the crypto isakmp identity hostname command. Is there any way you can verify the config on the remote end?

Steve

0 Helpful

c0ppernic
Level 1
Level 1
In response to stomasko

‎03-02-2004 08:26 AM

The remote is a Concentrator with multiple VPN connections. If I add the cry isa hostname to the remote will all the other routers drop the VPN tunnel because they all currently use the address to authenticate?

************* Remote Router ******************

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key ABCDEFG address 64.xxx.xxx.12

crypto isakmp key HIJKLMN address 64.xxx.xxx.13

!

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map ROUTER 534 ipsec-isakmp

description **** CONNECTION TO ROUTER-534 ****

set peer 64.xxx.xxx.12

set transform-set STRONG

match address ACL-ROUTER-534

!

!

crypto map ROUTER 535 ipsec-isakmp

description **** CONNECTION TO ROUTER-535 ****

set peer 64.xxx.xxx.13

set transform-set STRONG

match address ACL-ROUTER-535

!

!

ip access-list extended ACL-ROUTER-534

permit ip 10.0.0.0 0.0.0.255 10.222.22.0 0.0.0.255

!

!

ip access-list extended ACL-ROUTER-535

permit ip 10.0.0.0 0.0.0.255 10.222.33.0 0.0.0.255

!

Thanks!

0 Helpful
Customers Also Viewed These Support Documents