Re: Need help troubleshooting site-to-site VPN

ciscofan128 · ‎05-11-2011

Hi,

I am trying to set up site-to-site IPSec VPN (with pre-shared key) with remote office that uses SonicWall VPN. The tunnel fails to establish thus I am trying to troubleshoot the problem. The remote admin told me I need to set "vpn identifier" to a string to identify my end. However, as far as l know, I don't see a place for it and I suspect it's not required for successful tunnel establishment. One note though when I attempt to connect the VPN via SDM's VPN troubleshooter and run:

#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status

x.x.x.x fa0/0 remote-vpn-identifier DN

So I can see his "vpn identifier" under "Group/Phase1_id". Could someone suggest where to set "vpn identifier" in IOS on a router? Also is it really required? I look through IPSec docs but don't see it.

Thanks!

Herbert Baerten · ‎05-12-2011

Hi Andre,

you should be able to configure this with:

router(config)#crypto isakmp identity ?
address Use the IP address of the interface for the identity
dn Use the distinguished name of the router cert for the identity
hostname Use the hostname of the router for the identity

As you can see, you cannot define a string, but you can specify "hostname" - so the remote will have to match on your hostname (or you will have to change your hostname to the string they expect to see).

The default by the way is "address" so if you don't change anything and get the Sonicwall guy to match on your ip address instead of hostname, then you should be fine as well.

hth
Herbert