Currently, I have in a number of remote sites (with dynamic public address) a C800.
On this Cisco, I have a config for initiating an agressive-mode tunnel to a central ASA.
relevant part of the config:
crypto isakmp policy 10
crypto isakmp peer address 18.104.22.168
set aggressive-mode password abcdefg
set aggressive-mode client-endpoint fqdn remotesite1
crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac
crypto map hq 10 ipsec-isakmp
set peer 22.214.171.124
set security-association lifetime seconds 28800
set transform-set vpn1
set pfs group2
match address 110
access-list 110 permit ip 10.32.250.0 0.0.0.255 192.168.0.0 0.0.255.255
Some of the config of the central ASA is below:
access-list Outside_cryptomap_2.1 extended permit ip 192.168.0.0 255.255.0.0 10.32.250.0 255.255.255.0
crypto map Outside_map 2 ipsec-isakmp dynamic Outside_dynmap
tunnel-group remotesite1 type ipsec-l2l
tunnel-group remotesite1 ipsec-attributes
Now I need to replace these C800 by ASA5505. But I don't know how to replace the "crypto isakmp peer address" command in ASA.
The C800 transmits both the password (abcdefg in my example) and the fqdn (remotesite1 in the example).
Does anybody know how to configure the ASA to build the tunnel the way the C800 did?
yes, this "crypto map hq 10 set peer 126.96.36.199" ineed needs to be configured on the remote ASA, but where do I configure the fqdn remotesite1 -- this is what the central ASA uses to compare shared secrets.
central ASA config:
Take a look here
As far as I understand you are right, this is what you should do
... I found a configuration command that might do the trick:
crypto isakmp identity key-id remotesite1 (in my case)
I'm going to test this (the evening) and report back tomorrow.
Meanwhile: if somebody has an alternative config or comments on this identity configitem, please let me know.
yes! this did the trick
the command "set aggressive-mode client-endpoint fqdn remotesite1" in the C800 is the same as "crypto isakmp identity key-id remotesite1" in ASA.