Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2844
Views
10
Helpful
6
Replies

Cisco VPN peer id configuration

Go to solution
omera
Level 1
Level 1

‎01-06-2023 09:26 AM

Hey Everyone,

I have been troubleshooting a VPN issue and hit a wall. The VPN runs between a Cisco IOS XE and Palo Alto FW.

The problem that I am hitting is with phase 1, on Cisco the debug shows that the negotiation is stuck on MM_KEY_EXCH, I have double-checked the pre-shared key and the policy they both match. On PA FW the error that I am getting is 

"description contains 'IKE phase-1 negotiation is failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN"

I have looked into how to change the peer id for that specific tunnel, but no luck there.

Thanks.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-06-2023 10:19 AM

@omera As default the router would send the address and the identity, so I assume your IOS-XE router is explictly configured to send a FQDN and that is configured globally? If, so and you reconfigure the router globally to send the address as the identity, that might impact (break) any other VPN on the router.

You might be better to create an ISAKMP profile, specifically for the VPN to the PA firewall. Specify the "self-identity" as address - hence sending your IP address and overriding the global setting of hostname.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MHM Cisco World
VIP
VIP

‎01-06-2023 09:32 AM 

crypto isakmp identity {address | hostname | key-id id-string | auto}

this command for identity 

0 Helpful

Go to solution
omera
Level 1
Level 1
In response to MHM Cisco World

‎01-07-2023 12:36 AM

Hey MHM, the identity for the whole router is set to hostname, and I honestly cannot set it to address as that might impact other VPN connections. 

Thanks for the help .

Go to solution
Rob Ingram
VIP
VIP
In response to omera

‎01-07-2023 12:56 AM

@omera as I said in my first response, you need to use an ISAKMP profile to define the IP address as the identity, to override the global setting. Example:

crypto isakmp profile CUSTOMERA
 keyring CUSTOMERA-KEY
 self-identity address
 match identity address 1.1.1.1 255.255.255.255

crypto map CMAP 1 ipsec-isakmp
 set isakmp-profile CUSTOMERA

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-06-2023 10:19 AM

@omera As default the router would send the address and the identity, so I assume your IOS-XE router is explictly configured to send a FQDN and that is configured globally? If, so and you reconfigure the router globally to send the address as the identity, that might impact (break) any other VPN on the router.

You might be better to create an ISAKMP profile, specifically for the VPN to the PA firewall. Specify the "self-identity" as address - hence sending your IP address and overriding the global setting of hostname.

0 Helpful

Go to solution
omera
Level 1
Level 1

‎01-08-2023 11:06 PM

Thanks, Rob and MHM for the help much appreciated.

0 Helpful
Customers Also Viewed These Support Documents