Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2173
Views
0
Helpful
0
Replies

ASA - IPSec (IKEV2) VPN peer address using FQDN

AMEERCHENGANAKKATIL
Level 1
Level 1

‎08-17-2020 09:45 AM

Hi,

 

I have below network running with IP Sec.

 

LAN -- - Inside-HQ-ASA - -Outside - -  Internet Modem1 - --- ISP --------Internet Modem2 - -- outside-(BR1-ASA) - - inside-LAN

 

I have setup IKEV2 between two location and working fine.

 

Currently I am using the IP Address , it is need to change the config every week, as PPOE IP from provide refresh every week. I have dynamic DNS and many service are running using DNS.

How can I set the configuration with hostname instead of IP.

I tried use "crypto map outside_map 20 set peer  hostname1.domian.fqdn " it shows error

 

MLZ-ASA-01(config)# crypto map outside_map 10 set peer hostname.domian.com
^
ERROR: % Invalid Hostname
MLZ-ASA-01(config)# crypto map outside_map 10 set peer dns:hostname.domian.com
^
ERROR: % Invalid Hostname
MLZ-ASA-01(config)#

 

configuration is given below.

+++++++++++HQ+++++++++++

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.10.10.41 255.255.255.0
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.10.1 255.255.255.240
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0

 

dns domain-lookup outside

dns server-group DefaultDNS
name-server 8.8.8.8

object-group network MLZ-LAN_IPSEC
network-object 172.16.10.0 255.255.255.240
network-object 10.10.10.0 255.255.255.0
network-object 10.10.11.0 255.255.255.0
object-group network JED-LAN_IPSEC
network-object 172.16.30.0 255.255.255.240
network-object 10.30.10.0 255.255.255.0

access-list MLZ-JED-VPN extended permit ip object-group MLZ-LAN_IPSEC object-group JED-LAN_IPSEC

 

route outside 0.0.0.0 0.0.0.0 192.168.100.1 1

 

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 20 match address MLZ-JED-VPN
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 2.2.2.2
crypto map outside_map 20 set ikev2 ipsec-proposal 3DES DES AES AES192 AES256
crypto map outside_map interface outside

 

crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1 ikev2

 

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

++++++++++++++++++++++++++++++++++++++++++++++++

 

 

+++++++++++BR1+++++++++++

interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.30.10.41 255.255.255.0
!
interface GigabitEthernet0/1
nameif dmz
security-level 50
ip address 172.16.30.1 255.255.255.240
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0

 

dns domain-lookup outside

dns server-group DefaultDNS
name-server 8.8.8.8

object-group network MLZ-LAN_IPSEC
network-object 172.16.10.0 255.255.255.240
network-object 10.10.10.0 255.255.255.0
network-object 10.10.11.0 255.255.255.0
object-group network JED-LAN_IPSEC
network-object 172.16.30.0 255.255.255.240
network-object 10.30.10.0 255.255.255.0

access-list JED-MLZ-VPN extended permit ip object-group JED-LAN_IPSEC object-group MLZ-LAN_IPSEC 

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

 

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 20 match address JED-MLZ-VPN
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 1.1.1.1
crypto map outside_map 20 set ikev2 ipsec-proposal 3DES DES AES AES192 AES256
crypto map outside_map interface outside

 

crypto ikev2 policy 1
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1 ikev2

 

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

++++++++++++++++++++++++++++++++++++++++++++++++

 

Your help is highly appreciated.

 

Thanks

Ameer

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents