Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
0
Helpful
2
Replies

ASA site-site vpn, pre-shared-key, tunnel-group with "name" in Main mode

sathish.cco
Level 1
Level 1

‎12-09-2015 12:16 AM

Hi,

I am converting ASA ver 6.3 to 9.2(4) for ASA 5505 hw.

there are more than 30 s-s vpn tunnels which needs to be converted, the existing config of a tunnel is

6.3

name 10.16.34.11 TEST-PEER

isakmp key kE87ber1 address TEST-PEER netmask 255.255.255.255 no-xauth no-config-mode


asa(config)# tunnel-group TEST-PEER type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digital Certificates and/or The peer is
configured to use Aggressive Mode

 I want to configure "peer name" in the tunnel-group insted of ip when configuring site-site vpn with pre-shared key in Main mode.

But, the warning msg says, "name" will be used only with Digital certificate and aggressive mode which we dont want.

Please provide your suggestion/option how to move forward to use "name" in main mode.

Labels:
0 Helpful
2 Replies 2

pjain2
Cisco Employee
Cisco Employee

‎12-16-2015 01:06 AM

When negotiating a L2L each peer sends its ISAKMP identity to the remote  peer. It sends either its IP address or host name dependent upon how  each has its ISAKMP identity set. By default, the ISAKMP identity of the ASA is set to the IP address. As per the RFC, when using pre-shared key authentication with Main Mode the key can     only be identified by the IP address of the peers since HASH_I must    be computed before the initiator has processed IDir. Aggressive Mode    allows for a wider range of identifiers of the pre-shared secret to    be used. In addition, Aggressive Mode allows two parties to maintain    multiple, different pre-shared keys and identify the correct one for    a particular exchange.

The ASA will do a tunnel-group lookup as follows:

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

0 Helpful

sathish.cco
Level 1
Level 1
In response to pjain2

‎12-16-2015 02:07 AM

Hi, thanks for your reply.

I changed to " asa(config)# tunnel-group 10.16.34.11 type ipsec-l2l"  , its ip address,

but not sure this will work and dont know about other side config. need to test it.

0 Helpful
Customers Also Viewed These Support Documents