Kingsley this is in Lab12 Question 4.4. You need to configure aggressive mode in order to use hostnames for pre-shared keys.
ip host ciscoasa x.x.x.x crypto isakmp peer hostname ciscoasa set aggressive client-endpoint fqdn ciscoasa set aggressive password cisco You would then need to configure aggressive mode on the ASA. I am not sure off the top of my head for how to do this. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.ipexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Thursday, October 15, 2009 10:06 AM To: [email protected] Subject: Re: [OSL | CCIE_Security] IOS IPSec VPNs with hostname for pre-shared keys The concept of using hostname on IOS router is different from ASA. On the ASA, hostname means the FQDN that is being sent in IKE message. ASA checks for the name is the IKE and matches to the tunnel name for aggreesive mode or with certificates. With IOS, hostname is not related to IKE message FQDN ID rather it is local. The FQDN is resolved either using DNS or static mapping using "ip host". http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#w p1046469 With regards Kings On Thu, Oct 15, 2009 at 7:18 PM, Kingsley Charles <[email protected]> wrote: Hi all I am trying to bring up a site to site VPN between ASA and IOS router with pre-shared keys. On the IOS router, I am using hostname not the address. I tried two different ways: Way 1 Configured "crypto isakmp identity hostname" on the ASA. The hostname sends the FQDN to the IOS router. Here on the IOS router, I have configured the "crypto isakmp key cisco hostname ciscoasa". ciscoasa is FQDN that the asa is sending to the IOS router. The error thrown on the IOS router states that "no pre-shared key found for the peer". Way 2 I have configured hostname to IP address mapping on the IOS router and then configured the hostname under crypto map peer and for the pre-shared key. The hostname in the crypto map gets resolved and I see the IP address under the crypto map. But with the "crypto isakmp key cisco hostname ciscoasa" just stays without getting resolved. Even for this tunnel doesn't comes up. How do I use "crypto isakmp key cisco hostname"? With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
