Hi Bruno There was a typo in previous mail. Actually I was looking for IPSec use case, where we match user-fqdn in ISAKMP profiles
router(config)#crypto isakmp profile prof % A profile is deemed incomplete until it has match identity statements router(conf-isa-prof)#mat router(conf-isa-prof)#match ide router(conf-isa-prof)#match identity ? address IP Address(es) group Group name host match a hostname/domain user-fqdn match a username/domain With regards Kings On Wed, Jan 19, 2011 at 7:27 PM, Bruno <[email protected]> wrote: > Hi Kingsley, > > What I think is as per RFC 4306, it is used when: > > ID_FQDN 2 > > A fully-qualified domain name string. An example of aID_FQDN is, > "example.com". The string MUST not contain any terminators (e.g., NULL, CR, > etc.). > > So, when you want to match hostnames instead of IPs? I think one useful case > is when you have a remote l2l peer with dynamic IP address. On our side the > trick is how to configure the keys. You could configure: > > crypto isa key XXX address 0.0.0.0 > > That`s is not a best option. The second way is to match remote's peer > hostname instead. The configuration would be: > > cry isa key XXX host remotepeer.test.com > > In this way, whatever ip address it comes to us, we will be able to validate > it. There must be best cases to use it though > > Hope it helps > > > On Wed, Jan 19, 2011 at 5:57 AM, Kingsley Charles < > [email protected]> wrote: > >> Hi all >> >> The hostname option matches when the IKE Identity type is "ID_USER_FQDN". >> It's not striking me now, in which IPSec case will I get type >> "ID_USER_FQDN". >> Please provide your inputs. >> >> router(config)#crypto isakmp identity ? >> address Use the IP address of the interface for the identity >> dn Use the distinguished name of the router cert for the identity >> hostname Use the hostname of the router for the identity >> >> >> With regards >> Kings >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
