IPSEC problem with pre-share/hostname

Discussion in 'Cisco' started by Can2002, Jan 17, 2007.

  1. Can2002

    Can2002 Guest

    I've been trying to create a more streamlined configuration for a 2851
    I'm using to establish IPSEC tunnels with a remote site that moves
    around.

    As part of this I wanted to change the allocation of pre-shared keys
    from using addresses to hostnames. To this end, I started by defining
    a hostname entry:

    ip host remote-host 1.2.3.4

    I then issued the following commands:

    no crypto isakmp key dunkin address 1.2.3.4
    crypto isakmp key dunkin hostname remote-host

    After doing this, the IPSEC tunnel stopped working until I carried out
    the following:

    no crypto isakmp key dunkin hostname remote-host
    crypto isakmp key dunkin address 1.2.3.4

    It appears as though the option of defining a pre-shared key for a
    hostname entry either doesn't work, or I've misunderstood what it does.
    I can obviously workaround this, but it stops my 'automated' IP change
    script from working.

    If anyone has any experience here, I'd appreciate comments...

    Cheers,
    Chris
    Can2002, Jan 17, 2007
    #1
    1. Advertising

  2. Can2002

    bradm330 Guest

    I believe the hostname command is meant to be a FQDN like
    vpn.someplace.com. And obviosuly for that to work, you have to have
    your router configured for DNS lookup

    On Jan 17, 12:24 pm, "Can2002" <> wrote:
    > I've been trying to create a more streamlined configuration for a 2851
    > I'm using to establish IPSEC tunnels with a remote site that moves
    > around.
    >
    > As part of this I wanted to change the allocation of pre-shared keys
    > from using addresses to hostnames. To this end, I started by defining
    > a hostname entry:
    >
    > ip host remote-host 1.2.3.4
    >
    > I then issued the following commands:
    >
    > no crypto isakmp key dunkin address 1.2.3.4
    > crypto isakmp key dunkin hostname remote-host
    >
    > After doing this, the IPSEC tunnel stopped working until I carried out
    > the following:
    >
    > no crypto isakmp key dunkin hostname remote-host
    > crypto isakmp key dunkin address 1.2.3.4
    >
    > It appears as though the option of defining a pre-shared key for a
    > hostname entry either doesn't work, or I've misunderstood what it does.
    > I can obviously workaround this, but it stops my 'automated' IP change
    > script from working.
    >
    > If anyone has any experience here, I'd appreciate comments...
    >
    > Cheers,
    > Chris
    bradm330, Jan 17, 2007
    #2
    1. Advertising

  3. Can2002

    Can2002 Guest

    bradm330 wrote:
    > I believe the hostname command is meant to be a FQDN like
    > vpn.someplace.com. And obviosuly for that to work, you have to have
    > your router configured for DNS lookup
    >


    Hi Brad,

    Thanks for that. I did some more searching and eventually found a
    Cisco document that suggested the following commands should work:

    On Central:

    crypto identity hostname
    crypto isakmp key keystring hostname remote.company.com
    ip host remote.company.com 1.2.3.4

    On Remote:

    crypto identity hostname
    crypto isakmp key keystring hostname central.company.com
    ip host central.company.com 9.8.7.6

    I tried this, but still saw debug messages on the central router saying
    'no pre-shared key found for 1.2.3.4'.

    After even more searching, I found the following statement in another
    Cisco doc:

    "Preshared keys no longer work when hostname is sent as the identity;
    thus, hostname as the identity in preshared key authentication is no
    longer supported. According to the way preshared key authentication is
    designed in IKE main mode, the preshared keys must be based on the IP
    address of the peers. Although a user can still send the hostname as
    identity in preshared key authentication, the key is searched on the IP
    address of the peer; if the key is not found (based on the IP address),
    the negotiation will fail."

    So in short, I can't do it...

    Cheers again,
    Chris
    Can2002, Jan 17, 2007
    #3
  4. Can2002

    Guest

    Can2002 wrote:
    > bradm330 wrote:
    > > I believe the hostname command is meant to be a FQDN like
    > > vpn.someplace.com. And obviosuly for that to work, you have to have
    > > your router configured for DNS lookup
    > >

    >
    > Hi Brad,
    >
    > Thanks for that. I did some more searching and eventually found a
    > Cisco document that suggested the following commands should work:
    >
    > On Central:
    >
    > crypto identity hostname
    > crypto isakmp key keystring hostname remote.company.com
    > ip host remote.company.com 1.2.3.4
    >
    > On Remote:
    >
    > crypto identity hostname
    > crypto isakmp key keystring hostname central.company.com
    > ip host central.company.com 9.8.7.6
    >
    > I tried this, but still saw debug messages on the central router saying
    > 'no pre-shared key found for 1.2.3.4'.
    >
    > After even more searching, I found the following statement in another
    > Cisco doc:
    >
    > "Preshared keys no longer work when hostname is sent as the identity;
    > thus, hostname as the identity in preshared key authentication is no
    > longer supported. According to the way preshared key authentication is
    > designed in IKE main mode, the preshared keys must be based on the IP
    > address of the peers. Although a user can still send the hostname as
    > identity in preshared key authentication, the key is searched on the IP
    > address of the peer; if the key is not found (based on the IP address),
    > the negotiation will fail."
    >
    > So in short, I can't do it...


    DMVPN?

    Never used it or studied it seriously.
    , Jan 18, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frank E Relaxx

    IPSec pre-share key VPN failure

    Frank E Relaxx, Jun 24, 2004, in forum: Cisco
    Replies:
    4
    Views:
    6,933
    Hansang Bae
    Jun 29, 2004
  2. Will Dockery

    Re: OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, May 31, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    321
    Will Dockery
    Jun 1, 2005
  3. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    299
    Citizen_Cain
    Jun 1, 2005
  4. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    429
    Tom Bishop
    Jun 1, 2005
  5. indira24

    name based ipsec -problem hostname resolves to mutiple IPs

    indira24, Mar 2, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,276
    indira24
    Mar 2, 2009
Loading...

Share This Page