Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
0
Helpful
5
Replies

agressive mode tunnel on ASA

johanhofmans
Level 1
Level 1

‎06-14-2011 03:22 AM - edited ‎03-04-2019 12:42 PM

Hi all,

Currently, I have in a number of remote sites (with dynamic public address) a C800.

On this Cisco, I have a config for initiating an agressive-mode tunnel to a central ASA.

relevant part of the config:

---

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

!

crypto isakmp peer address 1.2.3.4

set aggressive-mode password abcdefg

set aggressive-mode client-endpoint fqdn remotesite1

!

crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac

!

crypto map hq 10 ipsec-isakmp

set peer 1.2.3.4

set security-association lifetime seconds 28800

set transform-set vpn1

set pfs group2

match address 110

!

access-list 110 permit ip 10.32.250.0 0.0.0.255 192.168.0.0 0.0.255.255

---

Some of the config of the central ASA is below:

---

access-list Outside_cryptomap_2.1 extended permit ip 192.168.0.0 255.255.0.0 10.32.250.0 255.255.255.0

!

crypto map Outside_map 2 ipsec-isakmp dynamic Outside_dynmap

!

tunnel-group remotesite1 type ipsec-l2l

tunnel-group remotesite1 ipsec-attributes

pre-shared-key abcdefg

---

Now I need to replace these C800 by ASA5505. But I don't know how to replace the "crypto isakmp peer address" command in ASA.

The C800 transmits both the password (abcdefg in my example) and the fqdn (remotesite1 in the example).

Does anybody know how to configure the ASA to build the tunnel the way the C800 did?

Thanks !!

Labels:
0 Helpful
5 Replies 5

fgasimzade
Level 4
Level 4

‎06-14-2011 03:26 AM

Peer address on ASA is cofigured in crypto map config like

crypto map hq 10 set peer 1.2.3.4

0 Helpful

johanhofmans
Level 1
Level 1
In response to fgasimzade

‎06-14-2011 03:32 AM

yes, this "crypto map hq 10 set peer 1.2.3.4" ineed needs to be configured on the remote ASA, but where do I configure the fqdn remotesite1 -- this is what the central ASA uses to compare shared secrets.

central ASA config:

---

tunnel-group remotesite1 type ipsec-l2l

tunnel-group remotesite1 ipsec-attributes

pre-shared-key abcdefg

---

0 Helpful

fgasimzade
Level 4
Level 4
In response to johanhofmans

‎06-14-2011 03:50 AM

http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

Take a look here

As far as I understand you are right, this is what you should do

tunnel-group remotesite1 type ipsec-l2l

tunnel-group remotesite1 ipsec-attributes

pre-shared-key abcdefg

0 Helpful

johanhofmans
Level 1
Level 1

‎06-14-2011 03:58 AM

... I found a configuration command that might do the trick:

crypto isakmp identity key-id remotesite1 (in my case)

I'm going to test this (the evening) and report back tomorrow.

Meanwhile: if somebody has an alternative config or comments on this identity configitem, please let me know.

0 Helpful

johanhofmans
Level 1
Level 1
In response to johanhofmans

‎06-15-2011 03:34 AM

yes! this did the trick

Bottom line:

the command "set aggressive-mode client-endpoint fqdn remotesite1" in the C800 is the same as "crypto isakmp identity key-id remotesite1" in ASA.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card