Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

isakmp authentication problem using hostname instead of address

Hello all,

I having a problem tring to use a hostname in the isakmp authentication instead of an address.

Currently I'm authenticating using crypto isakmp key XXXXXXX address xxx.xxx.xxx.xxx, now instead of using the address I tried to setup a DNS entry to our DNS provider and use a hostname.

********** Router config **************

ip domain-name dns.com

ip name-server <Primary DNS address>

ip name0server <Secondary DNS address>

ip domain-lookup

crypto isakmp poilicy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key XXXXXXXX hostname dnsname.dns.com

***************************************

I can ping the name and it resolves to the proper IP address. If I trace the route they both correspond to the same number of hops.

Why does it work with the address and not the hostname?

At the moment there are no ACL's on the router. The other router that I'm authenticating with does have ACL's up.

Thanks

4 REPLIES
Silver

Re: isakmp authentication problem using hostname instead of addr

Are you using the crypto isakmp identity hostname command? Check the command reference and the example below.

command

http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_command_summary_chapter09186a00800eeaf5.html#5661

example

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094353.shtml

Hope this helps.

Steve

New Member

Re: isakmp authentication problem using hostname instead of addr

Thanks for the reply,

I tried added the:

crypto isakmp identity hostname

Still no luck. It works when I have the crypto isakmp address but as soon as I remove it and reload it won't sa.

Any other suggestions?

Here's the config again:

********************************************

ip domain-name domain.ca

ip name-server 24.xxx.xxx.1

ip name-server 24.xxx.xxx.1

!

ip dhcp pool dynamic

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group 2

request-dialin

protocol pppoe

!

chat-script default ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" ATDT\T" TIMEOUT

60 CONNECT \c

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key ABCDEFG address 24.xxx.xxx.12

crypto isakmp key ABCDEFG hostname isakmp1.domain.ca

crypto isakmp identity hostname

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map POS 20 ipsec-isakmp

description **** CONNECTION TO PRIMARY 7140 ****

set peer 24.xxx.xxx.12

set transform-set STRONG

match address ACL-CRYPTO-AMQUEST

**********************************************

Thanks!

Silver

Re: isakmp authentication problem using hostname instead of addr

The end you are connecting to needs to have the crypto isakmp identity hostname command. Is there any way you can verify the config on the remote end?

Steve

New Member

Re: isakmp authentication problem using hostname instead of addr

The remote is a Concentrator with multiple VPN connections. If I add the cry isa hostname to the remote will all the other routers drop the VPN tunnel because they all currently use the address to authenticate?

************* Remote Router ******************

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key ABCDEFG address 64.xxx.xxx.12

crypto isakmp key HIJKLMN address 64.xxx.xxx.13

!

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set STRONG esp-3des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map ROUTER 534 ipsec-isakmp

description **** CONNECTION TO ROUTER-534 ****

set peer 64.xxx.xxx.12

set transform-set STRONG

match address ACL-ROUTER-534

!

!

crypto map ROUTER 535 ipsec-isakmp

description **** CONNECTION TO ROUTER-535 ****

set peer 64.xxx.xxx.13

set transform-set STRONG

match address ACL-ROUTER-535

!

!

ip access-list extended ACL-ROUTER-534

permit ip 10.0.0.0 0.0.0.255 10.222.22.0 0.0.0.255

!

!

ip access-list extended ACL-ROUTER-535

permit ip 10.0.0.0 0.0.0.255 10.222.33.0 0.0.0.255

!

Thanks!

188
Views
0
Helpful
4
Replies
CreatePlease login to create content