Hi Tyson Even, if the "crypto isakmp identity address" is configured which is the default, the IOS uses hostname as the identity when the authentication method used by the IPSec VPN is rsa-sig.
If we configure "crypto isakmp identity hostname" and have both types of VPN connections using pre-shared keys and rsa-sig, only hostname will be sent for IPSec connections that uses pre-shared which may fail, if we don't have dns resolution mappings. So, we need not configure "crypto isakmp identity hostname" when default configuration is used unless the identity "crypto isakmp identity dn" With regards Kings On Sat, Jun 25, 2011 at 11:28 AM, Tyson Scott <[email protected]> wrote: > You should configure the command.**** > > ** ** > > Regards,**** > > **** > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130**** > > ** ** > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com*** > * > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, June 21, 2011 1:15 AM > *To:* Kok Yong CHEONG > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Crypto identity hostname for GETVPN > with CA**** > > ** ** > > If remember correctly, when ISAKMP RSA-SIG is used for authentication, the > IOS uses crypto identity of hostname even, if you have not configured it. > > With regards > Kings**** > > On Tue, Jun 21, 2011 at 9:08 AM, Kok Yong CHEONG <[email protected]> > wrote:**** > > hi Guys, > > i have doubt on following: > > i read somewhere that if you have GETVPN with CA server (authentication > rsa-sig), you need to have "crypto identity hostname" to work, however, when > i look at GETVPN deployment guide, i don't see the "crypto identity > hostname" is configured (default is crypto identity address). do i need it > when work with GETVPN with CA ? > > many thanks in advance > > Regards > KY > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
