I have a pre-shared key VPN system consisting of a 3725 hub with a public IP and several 2600 remotes, where each remote is behind ISP infrastructure served with non-routable DHCP supplied addresses. All works well with the static public IP of the hub stored in the remote configs but I’m trying to migrate the remotes to a new config based on the FQDN of the hub to allow a future hub address change without having to visit every remote.
The problem is that the remotes are old and memory constrained, they are currently at or about IOS 12.2 (27). I have tried to implement ‘Real-Time Resolution for IPsec Tunnel Peer’ ie:
crypto isakmp policy 1
crypto isakmp key <key> hostname abc.xyz.com
crypto ipsec transform-set TS esp-des esp-md5-hmac
crypto map vpn-to-hub 10 ipsec-isakmp
set peer abc.xyz.com dynamic
set transform-set TS
set pfs group2
match address 101
While the old IOS accepts the crypto isakmp statement with the FQDN, it will not accept the keyword ‘dynamic’ in the set peer line. Leaving out the dynamic qualifier causes the IOS to immediately resolve abc.xyz.com into an IP address during the config and simply store the IP address. The remotes have DHCP client functionality implemented and a DNS nominated. The hub is FQDN resolvable.
I do not have the budget to replace the remote routers and their memory is too small to upgrade the IOS, so any work around suggestions would be appreciated.
this is one of the typical scenarios where the authentication is better done with digital certificates. Another solution that will technically work but is not a best practice, is the usage of wildcard pre-shared-keys.
And a third solution. With these old routers, you can also do the authentication with rsa-encryption.
Sent from Cisco Technical Support iPad App