Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
549
Views
0
Helpful
1
Replies

FQDN work around for DHCP remotes in IOS 12.2 ?

John_in_NZ
Level 1
Level 1

‎11-08-2013 10:45 AM

I have a pre-shared key VPN system consisting of a 3725 hub with a public IP and several 2600 remotes, where each remote is behind ISP infrastructure served with non-routable DHCP supplied addresses.  All works well with the static public IP of the hub stored in the remote configs but I’m trying to migrate the remotes to a new config based on the FQDN of the hub to allow a future hub address change without having to visit every remote. 

The problem is that the remotes are old and memory constrained, they are currently at or about IOS 12.2 (27). I have tried to implement ‘Real-Time Resolution for IPsec Tunnel Peer’ ie:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key <key> hostname abc.xyz.com

!

crypto ipsec transform-set TS esp-des esp-md5-hmac

!

crypto map vpn-to-hub 10 ipsec-isakmp

set peer abc.xyz.com dynamic

set transform-set TS

set pfs group2

match address 101

While the old IOS accepts the crypto isakmp statement with the FQDN, it will not accept the keyword ‘dynamic’ in the set peer line.  Leaving out the dynamic qualifier causes the IOS to immediately resolve abc.xyz.com into an IP address during the config and simply store the IP address. The remotes have DHCP client functionality implemented and a DNS nominated.  The hub is FQDN resolvable.

I do not have the budget to replace the remote routers and their memory is too small to upgrade the IOS, so any work around suggestions would be appreciated.

Thanks, John

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎11-09-2013 12:46 AM

this is one of the typical scenarios where the authentication is better done with digital certificates. Another solution that will technically work but is not a best practice, is the usage of wildcard pre-shared-keys.
And a third solution. With these old routers, you can also do the authentication with rsa-encryption.


Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents