I have a pre-shared key VPN system consisting of a 3725 hub with a public IP and several 2600 remotes, where each remote is behind ISP infrastructure served with non-routable DHCP supplied addresses. All works well with the static public IP of the hub stored in the remote configs but I’m trying to migrate the remotes to a new config based on the FQDN of the hub to allow a future hub address change without having to visit every remote.
The problem is that the remotes are old and memory constrained, they are currently at or about IOS 12.2 (27). I have tried to implement ‘Real-Time Resolution for IPsec Tunnel Peer’ ie:
While the old IOS accepts the crypto isakmp statement with the FQDN, it will not accept the keyword ‘dynamic’ in the set peer line. Leaving out the dynamic qualifier causes the IOS to immediately resolve abc.xyz.com into an IP address during the config and simply store the IP address. The remotes have DHCP client functionality implemented and a DNS nominated. The hub is FQDN resolvable.
I do not have the budget to replace the remote routers and their memory is too small to upgrade the IOS, so any work around suggestions would be appreciated.
Re: FQDN work around for DHCP remotes in IOS 12.2 ?
this is one of the typical scenarios where the authentication is better done with digital certificates. Another solution that will technically work but is not a best practice, is the usage of wildcard pre-shared-keys. And a third solution. With these old routers, you can also do the authentication with rsa-encryption.
Sent from Cisco Technical Support iPad App
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...