Hi Kingsley,
What I think is as per RFC 4306, it is used when:
ID_FQDN 2
A fully-qualified domain name string. An example of
aID_FQDN is, "example.com". The string MUST not contain any
terminators (e.g., NULL, CR, etc.).
So, when you want to match hostnames instead of IPs? I think one
useful case is when you have a remote l2l peer with dynamic IP
address. On our side the trick is how to configure the keys. You could
configure:
crypto isa key XXX address 0.0.0.0
That`s is not a best option. The second way is to match remote's peer
hostname instead. The configuration would be:
cry isa key XXX host remotepeer.test.com
In this way, whatever ip address it comes to us, we will be able to
validate it. There must be best cases to use it though
Hope it helps
On Wed, Jan 19, 2011 at 5:57 AM, Kingsley Charles <
[email protected]> wrote:
> Hi all
>
> The hostname option matches when the IKE Identity type is "ID_USER_FQDN".
> It's not striking me now, in which IPSec case will I get type
> "ID_USER_FQDN".
> Please provide your inputs.
>
> router(config)#crypto isakmp identity ?
> address Use the IP address of the interface for the identity
> dn Use the distinguished name of the router cert for the identity
> hostname Use the hostname of the router for the identity
>
>
> With regards
> Kings
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
--
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
