Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Isakmp identity - Cisco ASA

Hello everybody.

Two questions about Identity in IPSec Lan-to-Lan tunnels.

We have GreenBow and Shrew VPN clients. In their configurations, you can specify Peer ID as IP Address, and you can write the IP Address you want, it didn't take the IP Address from outbound interface. The current VPN terminator too supports this feature. Problem comes because we're installing a Cisco ASA as the new VPN terminator and we see that:

- You can configure identity to use IP Address: crypto isakmp identity address. Then we can't specify an IP address, can we?.

- Could we "skip" this Identity checking during tunnel establishment anyway?

Thank you very much.

Everyone's tags (1)
2 REPLIES

Hi Rodriguez, Even though if

Hi Rodriguez,

 

Even though if you give no crypto isakmp identity address, the default value would be considered i.e. auto. But if you want to make it to a different interface then you can specify the required interface...

 

crypto isakmp/ikevx enable <interface name>

 

Regards

Karthik

Silver

Hi,Yes, On ASA you can not

Hi,

Yes, On ASA you can not specify the ip address in this command, but if you give this command ,identity is checked based on ip address of peer exchanging the ISAKMP identity information.

By default,

"crypto isakmp identity auto" is configured on ASA. So if you are using Pre-shared keys, it will check the peer ip address, if you use certificate authentication it will check Cert Distinguished Name for certificate authentication.

So you can skip this command

 

HTH

240
Views
0
Helpful
2
Replies