We have been using Cisco PIX's for more than 5 years now, and vpn tunnels have been part of many configurations through time. Now I finally got brave enough and upgraded a pix to PIX OS 7.0.2 from 6.3(5)
It was a mess to change the configuration (isakmp/crypto), and I stumbled upon a strange thing in the process, which caused me a headache of half an hour before solving it.
The tunnel-groups are used to specify a host and a pre-shared key for isakmp negotionation. But the tunnel-group NEEDS to have a name that matches the peer ip address, there is no way to get the config to display the peer's NAME instead of the ip address ?
I would like to write:
name 220.127.116.11 Paris
tunnel-group Paris type ipsec-l2l
tunnel-group Paris ipsec-attributes
But the tunnel-group command doesn't understand NAMES, so I have to write
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
Can you tell me why this is so ? I was getting used to using names (very neat when you have loooong configurations.
I hope for an answer, or maybe this should be brought to TAC instead ?
Re: PIX OS 7.0.2 - tunnel-groups cannot be names ?
Well, I guess the short answer is it has to be an IP address because that's all the developers added into the source code. It can be a name for anything other than a L2L tunnel, for a L2L tunnel specifically it has to be the peer's IP address, since this is what the code uses to search on for the attributes (pre-shared key, etc). There is no code to tell the PIX that says if it's a name, go a search for a matching "name ..." command and use that IP address to search on.
If you want the ability to add a name in here instead of the IP address then it will have to be logged as a feature request, a bug submitted and the code written to allow that. You can log the feature request by contacting your account team (not the TAC).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...