Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FQDN work around for DHCP remotes in IOS 12.2 ?

I have a pre-shared key VPN system consisting of a 3725 hub with a public IP and several 2600 remotes, where each remote is behind ISP infrastructure served with non-routable DHCP supplied addresses.  All works well with the static public IP of the hub stored in the remote configs but I’m trying to migrate the remotes to a new config based on the FQDN of the hub to allow a future hub address change without having to visit every remote. 

The problem is that the remotes are old and memory constrained, they are currently at or about IOS 12.2 (27). I have tried to implement ‘Real-Time Resolution for IPsec Tunnel Peer’ ie:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key <key> hostname abc.xyz.com

!

crypto ipsec transform-set TS esp-des esp-md5-hmac

!

crypto map vpn-to-hub 10 ipsec-isakmp

set peer abc.xyz.com dynamic

set transform-set TS

set pfs group2

match address 101

While the old IOS accepts the crypto isakmp statement with the FQDN, it will not accept the keyword ‘dynamic’ in the set peer line.  Leaving out the dynamic qualifier causes the IOS to immediately resolve abc.xyz.com into an IP address during the config and simply store the IP address. The remotes have DHCP client functionality implemented and a DNS nominated.  The hub is FQDN resolvable.

I do not have the budget to replace the remote routers and their memory is too small to upgrade the IOS, so any work around suggestions would be appreciated.

Thanks, John

Everyone's tags (2)
1 REPLY
VIP Purple

Re: FQDN work around for DHCP remotes in IOS 12.2 ?

this is one of the typical scenarios where the authentication is better done with digital certificates. Another solution that will technically work but is not a best practice, is the usage of wildcard pre-shared-keys.
And a third solution. With these old routers, you can also do the authentication with rsa-encryption.


Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
197
Views
0
Helpful
1
Replies