VPN using FQDN

network770 · ‎09-24-2012

We need to creat a site-to-site ipsec vpn tunnel but the other side does not have a static IP address, they are asking of us to point to a fully qualified domain name... does the ASA accept a domain name as a peer as opposed to an IP address?

Javier Portuguez · ‎09-24-2012

Hi Ronni,

The ASA cannot initiate a VPN tunnel to a dynamic DNS hostname (remote FQDN). It can only initiate to a hostname defined by the 'name' command.

Keep me posted.

Portu

Please rate any helpful post.

Karsten Iwen · ‎09-25-2012

The IOS-router is capable to work the way you want, but as Javier told you, the ASA can not.

If it is ok that only the other side initiates the connection, then you can configure the ASA to accept a VPNs from any IP. But before going further in finding a solution I would ask the other administrator why there is no fixed IP. If you want a really reliable VPN, you really should have fixed IPs on both sides.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Javier Portuguez · ‎09-25-2012

Hi Ronni,

Just adding more information about the tunnels mentioned above:

ASA:

Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router that uses CCP Configuration Example

IOS:

ISAKMP Profile Overview

"match identity {group group-name | address address [mask] [fvrf] | host host-name | host domain

domain-name | user user-fqdn | user domain domain-name}"

crypto isakmp profile vpnprofile

match identity group vpngroup

match identity address 10.53.11.1

match identity host domain vpn.com

match identity host server.vpn.com

Thanks.

Message was edited by: Javier Portuguez