Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA more than one pre-shared with dynamic crypto map

Hi, how to have more than one pre-shared for dynamic crypto map, in ASA ?

I need a different pre-shared, one for every hub router

thanks

7 REPLIES

Re: ASA more than one pre-shared with dynamic crypto map

This is not possible - you can only have 1 dynamic l2l profile with 1 psk

HTH>

New Member

Re: ASA more than one pre-shared with dynamic crypto map

thank you, is that limit still present in ASA 8.2(1) ?

Bronze

Re: ASA more than one pre-shared with dynamic crypto map

In dyanmic l2l configurations, the defaultl2l group is used to bind the pre-shared key to the unknown initiator IPs.

Only one pre-shared key can be set in the defaultl2l group.

This behavior is the same in 7.x and 8.x code.

New Member

Re: ASA more than one pre-shared with dynamic crypto map

Hi, I'm trying to identify the peer with the name instead of the IP.

So, I could bind every name of remote peer with a tunnel group.

Cisco Employee

Re: ASA more than one pre-shared with dynamic crypto map

You could try using "crypto isakmp identity hostname" on the dynamic ASA's, and make sure the name matches up with the tunnel-group name.

If the IP's are not changing on the dynamic hosts, you could use the IP in the tunnel-group as well, to see if it lands on the TG correctly.

To see what the ASA is doing, enable debugs:

debug cry isa 200

debug cry ips 200

Re: ASA more than one pre-shared with dynamic crypto map

Preshared keys no longer work when hostname is sent as the identity; thus, hostname as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.

HTH>

Bronze

Re: ASA more than one pre-shared with dynamic crypto map

ISAKMP identity hostnames CAN be used with pre-shared keys, both in aggressive and main mode. However, you can only identify the pre-shared key by IP address when using main mode since the ID info is sent in the last encrypted main-mode exchange.

If the remote client is able to initiate the IKE Phase 1 negotiation in aggressive mode, you would theoretically be able to use the ISAKMP identity hostname to identify the pre-shared key. This is the basis of all remote-access IPSEC VPNs on both the PIX and ASA.

Now, whether or not the ASA will support this type of configuration is another story. I've never tested this type of config, however, it would be theoretically possible as defined by the IKE RFC.

343
Views
0
Helpful
7
Replies
CreatePlease login to create content