Encryption: "Crypto isakmp identity"

Mark_Matthias · ‎09-02-2005

I have a home router that connects to several field routers via Frame-Relay. Each will be IPSec encrypted.

Then each Field router connects to only one Remote router using ISDN. Each of these links will also be encrypted.

In summary, the Field routers are therefor, sort of in the middle with routers on a frame-relay port(Home) and and ISDN port(remote).

Question #1: What IP address should I use for the 'crypto isakmp identity' command?

I think I have the answer but would like it double checked:

Since "Crypto isakmp identity" is a global command,I think I should use the loopback address. Will that work for both encrypted links?

Thanks,

Mark

Mark_Matthias · ‎09-02-2005

This further complicates things.

The following notes are listed under Cisco's command-lookup-tool for the command

"Crypto isakmp key" and I want to use Preshared keys.

Preshared keys no longer work when the hostname keyword is sent as the identity; thus, the hostname keyword as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail.

If crypto isakmp identity hostname is configured as identity, the preshared key must be configured with the peer's IP address for the process to work.

jackko · ‎09-04-2005

as far as i know, the command specifies whether using ip or hostname when negotiating ike. and you don't actually specific an ip with the command.

further, we always leave this as default and that is the ip. we use psk as well and we have no issue so far.

maybe better to post your config and we can discuss the issue further