Solved: Real-Time Resolution for IPSec Tunnel Peer

remi-reszka · ‎10-31-2008

Hi,

There is a document on Cisco website

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrlres.html

explaining that while configuring a static crypto map and peers instead of peer IP address we can specify a FQDN following with "dynamic" command. I have been trying this option and no luck. My VPN endpoint (routers 2611XM and 831) do resolve each other name with a DNS server but when it's coming to apllying crypto maps to the interfaces I get the following error message:

ISAKMP: callback: no SA found for 0.0.0.0/0.0.0.0 [vrf 0]

So to speak no SAs are being established and IPSec tunnel failes to come up.

Anybody tried that and had the same problem? I'd appreciate your help on that.

Thanks,

Remi

ovt · ‎11-14-2008

What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.

View solution in original post

ovt · ‎11-14-2008

What authentication method do you use? If you use "pre-share" you still cannot use "cry isa key ... name ..." even if the DNS resolves this to an IP address. This is a feature of the IKE MM. So, use certs instead.

remi-reszka · ‎11-14-2008

Exactly, I was using pre-share key authentication. I am in process of deploying certs to see how it's gonna work.

Thanks for your help.

Remi