Two questions about Identity in IPSec Lan-to-Lan tunnels.
We have GreenBow and Shrew VPN clients. In their configurations, you can specify Peer ID as IP Address, and you can write the IP Address you want, it didn't take the IP Address from outbound interface. The current VPN terminator too supports this feature. Problem comes because we're installing a Cisco ASA as the new VPN terminator and we see that:
- You can configure identity to use IP Address: crypto isakmp identity address. Then we can't specify an IP address, can we?.
- Could we "skip" this Identity checking during tunnel establishment anyway?
Even though if you give no crypto isakmp identity address, the default value would be considered i.e. auto. But if you want to make it to a different interface then you can specify the required interface...
Yes, On ASA you can not specify the ip address in this command, but if you give this command ,identity is checked based on ip address of peer exchanging the ISAKMP identity information.
"crypto isakmp identity auto" is configured on ASA. So if you are using Pre-shared keys, it will check the peer ip address, if you use certificate authentication it will check Cert Distinguished Name for certificate authentication.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...