cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2224
Views
0
Helpful
2
Replies

Isakmp identity - Cisco ASA

jm.rodriguez
Level 1
Level 1

Hello everybody.

Two questions about Identity in IPSec Lan-to-Lan tunnels.

We have GreenBow and Shrew VPN clients. In their configurations, you can specify Peer ID as IP Address, and you can write the IP Address you want, it didn't take the IP Address from outbound interface. The current VPN terminator too supports this feature. Problem comes because we're installing a Cisco ASA as the new VPN terminator and we see that:

- You can configure identity to use IP Address: crypto isakmp identity address. Then we can't specify an IP address, can we?.

- Could we "skip" this Identity checking during tunnel establishment anyway?

Thank you very much.

2 Replies 2

nkarthikeyan
Level 7
Level 7

Hi Rodriguez,

 

Even though if you give no crypto isakmp identity address, the default value would be considered i.e. auto. But if you want to make it to a different interface then you can specify the required interface...

 

crypto isakmp/ikevx enable <interface name>

 

Regards

Karthik

Poonam Garg
Level 3
Level 3

Hi,

Yes, On ASA you can not specify the ip address in this command, but if you give this command ,identity is checked based on ip address of peer exchanging the ISAKMP identity information.

By default,

"crypto isakmp identity auto" is configured on ASA. So if you are using Pre-shared keys, it will check the peer ip address, if you use certificate authentication it will check Cert Distinguished Name for certificate authentication.

So you can skip this command

 

HTH