02-25-2004 10:16 AM - edited 02-21-2020 10:09 AM
Hello all,
I having a problem tring to use a hostname in the isakmp authentication instead of an address.
Currently I'm authenticating using crypto isakmp key XXXXXXX address xxx.xxx.xxx.xxx, now instead of using the address I tried to setup a DNS entry to our DNS provider and use a hostname.
********** Router config **************
ip domain-name dns.com
ip name-server <Primary DNS address>
ip name0server <Secondary DNS address>
ip domain-lookup
crypto isakmp poilicy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXXXXXX hostname dnsname.dns.com
***************************************
I can ping the name and it resolves to the proper IP address. If I trace the route they both correspond to the same number of hops.
Why does it work with the address and not the hostname?
At the moment there are no ACL's on the router. The other router that I'm authenticating with does have ACL's up.
Thanks
02-26-2004 06:03 AM
Are you using the crypto isakmp identity hostname command? Check the command reference and the example below.
command
example
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094353.shtml
Hope this helps.
Steve
03-01-2004 12:30 PM
Thanks for the reply,
I tried added the:
crypto isakmp identity hostname
Still no luck. It works when I have the crypto isakmp
Any other suggestions?
Here's the config again:
********************************************
ip domain-name domain.ca
ip name-server 24.xxx.xxx.1
ip name-server 24.xxx.xxx.1
!
ip dhcp pool dynamic
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group 2
request-dialin
protocol pppoe
!
chat-script default ABORT ERROR ABORT BUSY ABORT "NO ANSWER" "" ATDT\T" TIMEOUT
60 CONNECT \c
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key ABCDEFG address 24.xxx.xxx.12
crypto isakmp key ABCDEFG hostname isakmp1.domain.ca
crypto isakmp identity hostname
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map POS 20 ipsec-isakmp
description **** CONNECTION TO PRIMARY 7140 ****
set peer 24.xxx.xxx.12
set transform-set STRONG
match address ACL-CRYPTO-AMQUEST
**********************************************
Thanks!
03-02-2004 05:23 AM
The end you are connecting to needs to have the crypto isakmp identity hostname command. Is there any way you can verify the config on the remote end?
Steve
03-02-2004 08:26 AM
The remote is a Concentrator with multiple VPN connections. If I add the cry isa hostname to the remote will all the other routers drop the VPN tunnel because they all currently use the address to authenticate?
************* Remote Router ******************
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key ABCDEFG address 64.xxx.xxx.12
crypto isakmp key HIJKLMN address 64.xxx.xxx.13
!
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONG esp-3des esp-md5-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map ROUTER 534 ipsec-isakmp
description **** CONNECTION TO ROUTER-534 ****
set peer 64.xxx.xxx.12
set transform-set STRONG
match address ACL-ROUTER-534
!
!
crypto map ROUTER 535 ipsec-isakmp
description **** CONNECTION TO ROUTER-535 ****
set peer 64.xxx.xxx.13
set transform-set STRONG
match address ACL-ROUTER-535
!
!
ip access-list extended ACL-ROUTER-534
permit ip 10.0.0.0 0.0.0.255 10.222.22.0 0.0.0.255
!
!
ip access-list extended ACL-ROUTER-535
permit ip 10.0.0.0 0.0.0.255 10.222.33.0 0.0.0.255
!
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide