Re: PIX OS 7.0.2 - tunnel-groups cannot be names ?

jakob.langgaard · ‎10-05-2005

Hi All,

We have been using Cisco PIX's for more than 5 years now, and vpn tunnels have been part of many configurations through time. Now I finally got brave enough and upgraded a pix to PIX OS 7.0.2 from 6.3(5)

It was a mess to change the configuration (isakmp/crypto), and I stumbled upon a strange thing in the process, which caused me a headache of half an hour before solving it.

The tunnel-groups are used to specify a host and a pre-shared key for isakmp negotionation. But the tunnel-group NEEDS to have a name that matches the peer ip address, there is no way to get the config to display the peer's NAME instead of the ip address ?

example:

I would like to write:

name 6.10.10.12 Paris

tunnel-group Paris type ipsec-l2l

tunnel-group Paris ipsec-attributes

pre-shared-key xyz

But the tunnel-group command doesn't understand NAMES, so I have to write

tunnel-group 6.10.10.12 type ipsec-l2l

tunnel-group 6.10.10.12 ipsec-attributes

pre-shared-key xyz

Can you tell me why this is so ? I was getting used to using names (very neat when you have loooong configurations.

I hope for an answer, or maybe this should be brought to TAC instead ?

Suggestions ?

gfullage · ‎10-05-2005

Well, I guess the short answer is it has to be an IP address because that's all the developers added into the source code. It can be a name for anything other than a L2L tunnel, for a L2L tunnel specifically it has to be the peer's IP address, since this is what the code uses to search on for the attributes (pre-shared key, etc). There is no code to tell the PIX that says if it's a name, go a search for a matching "name ..." command and use that IP address to search on.

If you want the ability to add a name in here instead of the IP address then it will have to be logged as a feature request, a bug submitted and the code written to allow that. You can log the feature request by contacting your account team (not the TAC).

Sorry, but that's the best answer I have.

jakob.langgaard · ‎10-05-2005

Thank you, I think I will request the feature then.

I understand that the part of the statement is considered a "string", so there is no way they can know if it is an ip address .. hmmmm.

The problem for me is that the setup in question have 25 sites with vpn tunnels going back and forth between most of them (many-to-many).

I have configured all tunnels (accesslists, nonat-acl, inside-out acl), Peers etc with the same name in them, example:

name 10.31.164.0 London-10nw

name 62.40.79.114 London

name 10.31.176.0 Rome-10nw

access-list inside-out permit ip Rome-10nw 255.255.255.0 London-10nw 255.255.255.0

access-list nonat-inside permit ip Rome-10nw 255.255.255.0 London-10nw 255.255.255.0

access-list London permit ip Rome-10nw 255.255.255.0 London-10nw 255.255.255.0

crypto map eskovpn 70 match address London

crypto map eskovpn 70 set peer London

isakmp key ******** address London netmask 255.255.255.255

If I need to change something in the config related to the peer site (London in this case) I simply do a

show run | include London

And all the lines output from this command is what I need if I need to

1 - change a peer address

2 - add a new network to the vpn tunnel

3 - generally check that everything related to the vpn fonig for that peer is in place.

With PIXOS7.0 I now also have to remember the ip address of the peer and do an additional search to have all config commands related to the peer listed.

I hope my Cisco-team will understand the inconvinience with this.