DMVPN and Preshared keys using hostnames

rick.payne · ‎12-02-2010

Is it possible to use Hostnames instead of IP addressing for ISAKMP when a Spoke VPN comes into the Hub using routers?

The issue is the remotes could come from anywhere, so the Hub will never know the IP address to set up different Pre-Shared-Keys in that respect.The following statement "crypto isakmp key (Pre-Shared-Key) address 0.0.0.0 0.0.0.0" Is the only thing that seems to work, but want to do pre-share or authenication with DMVPN by hostnames.

If there is another way using DMVPN do allow each Spoke to have it's own unique "Pre-Shared" key, Please let me know.

Thanks.

rahgovin · ‎12-02-2010

You could use keyrings in that case

Crypto Keyring Configuration

A crypto keyring is a repository of preshared and RSA public keys. The keyring is configured in the router and assigned a key name. The keyring is then configured in the ISAKMP profile. There can be zero or more keyrings in the crypto ISAKMP profile. The following example shows the configuration of a crypto keyring:

crypto keyring KEYR1
description The keys for VPN1
pre-shared-key address 10.1.1.1 key cisco123
pre-shared-key hostname host.lab.net key cisco123
rsa-pubkey name host.vpn.com
   address 10.1.1.1
   serial-number 1000000
   key-string
   00302017 4A7D385B 1234EF29 335F
   Quit
!
crypto isakmp profile DMVPN
keyring KEYR1

You can refer this doc for the info.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

jan.nielsen · ‎12-02-2010

Of course there is, it's known as certificates, and really is the way to go when you have more than two devices in your vpn setup.