Well, the identity is not working because the message exchange in the main mode
does not exchange the names before the 5th message, and it exchange the psk in
the 4th message making the tunnel to utilize the peer instead of the name, then
the vpn will not come up with the name. The only way this will work with main
mode is using certificates, with psk there's this limitation. If you use
aggressive mode it will come up because the message exchange witks differently
and the psk is exchanged after the name.
Hope it helps.
BR,
--
Bruno Silva
Sent from Iphone
On Fri, Mar 8, 2013 at 12:25 AM, sofiene f <[email protected]> wrote:
> hi Guys,
> I have 2 questions for IOS vpn site to site using DVTI in Head office to
> SVTI in remote office with "identity hostname"
> you will found in follow the configuration but it doesn't work
> router 1: HEAD OFFICE
> /*********************************************************************
> crypto keyring key-VPN
> pre-shared-key hostname router_b.domain.com key test1234
> crypto isakmp profile Profile-VPN
> keyring key-VPN
> match identity host router_b.domain.com
> virtual-template 6
> crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
> crypto ipsec profile IPSEC_3DES_SHA-HMAC
> set security-association lifetime seconds 28800
> set transform-set TRANSFORM
> interface Virtual-Template6 type tunnel
> ip vrf forwarding VRF_A
> ip unnumbered Loopback0
> ip virtual-reassembly in
> tunnel source GigabitEthernet0/0
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile IPSEC_3DES_SHA-HMAC
> interface GigabitEthernet0/0
> ip address 1.1.1.1 255.255.255.240
> duplex auto
> speed auto
> end
> interface Loopback0
> ip vrf forwarding VRF_A
> ip address 192.168.1.1 255.255.255.248
> end
> ********************************************************************/
> router 2: BRANCHE
> /********************************************************************
> interface Tunnel0
> ip address 192.168.1.2 255.255.255.248
> tunnel source 2.2.2.2
> tunnel mode ipsec ipv4
> tunnel destination 1.1.1.1
> tunnel protection ipsec profile IPSEC_3DES_SHA-HMAC
> crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
> crypto ipsec profile IPSEC_3DES_SHA-HMAC
> set security-association lifetime seconds 28800
> set transform-set TRANSFORM
> crypto isakmp key test1234 address 1.1.1.1
> crypto isakmp identity hostname
> ip host router_b 2.2.2.2
> *********************************************************************/
> question 1:
> do I need to configure agressive mode in the Head office because I use :
> match identity host router_b.domain.com
> ps: I know in the asa we must configure it with aggressive mode to work fine
> Question2:
> What's missing in my configuration for the "identity hostname" because
> it's not working
> thanks!!!!
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
