Thanks Bruno for the response, to recapitulate, If I choose the second option: ( using aggressive mode), i have to do the following configuration to work properly?
head office: /************************************************************** crypto isakmp profile Profile-VPN keyring key-VPN match identity host router_b.domain.com virtual-template 6 *initiate mode aggressive* crypto keyring key-VPN pre-shared-key hostname router_b.domain.com key test1234 **************************************************************/ remote router: /******************************************************* crypto isakmp identity hostname ip host router_b 2.2.2.2 domain name domain.com ********************************************************/ thanks, Sofiene On Thu, Mar 7, 2013 at 10:29 PM, Bruno Silva <[email protected]> wrote: > Well, the identity is not working because the message exchange in the main > mode does not exchange the names before the 5th message, and it exchange > the psk in the 4th message making the tunnel to utilize the peer instead of > the name, then the vpn will not come up with the name. The only way this > will work with main mode is using certificates, with psk there's this > limitation. If you use aggressive mode it will come up because the message > exchange witks differently and the psk is exchanged after the name. > > Hope it helps. > > BR, > -- > Bruno Silva > Sent from Iphone > > > On Fri, Mar 8, 2013 at 12:25 AM, sofiene f <[email protected]> wrote: > >> hi Guys, >> >> I have 2 questions for IOS vpn site to site using DVTI in Head office >> to SVTI in remote office with "identity hostname" >> >> you will found in follow the configuration but it doesn't work >> >> router 1: HEAD OFFICE >> >> >> /********************************************************************* >> >> >> >> crypto keyring key-VPN >> >> pre-shared-key hostname router_b.domain.com key test1234 >> >> >> >> crypto isakmp profile Profile-VPN >> >> keyring key-VPN >> >> match identity host router_b.domain.com >> >> virtual-template 6 >> >> >> crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac >> >> >> crypto ipsec profile IPSEC_3DES_SHA-HMAC >> >> set security-association lifetime seconds 28800 >> >> set transform-set TRANSFORM >> >> >> >> interface Virtual-Template6 type tunnel >> >> ip vrf forwarding VRF_A >> >> ip unnumbered Loopback0 >> >> ip virtual-reassembly in >> >> tunnel source GigabitEthernet0/0 >> >> tunnel mode ipsec ipv4 >> >> tunnel protection ipsec profile IPSEC_3DES_SHA-HMAC >> >> >> interface GigabitEthernet0/0 >> >> ip address 1.1.1.1 255.255.255.240 >> >> duplex auto >> >> speed auto >> >> end >> >> >> interface Loopback0 >> >> ip vrf forwarding VRF_A >> >> ip address 192.168.1.1 255.255.255.248 >> >> end >> >> >> ********************************************************************/ >> >> >> router 2: BRANCHE >> >> >> /******************************************************************** >> >> >> interface Tunnel0 >> >> ip address 192.168.1.2 255.255.255.248 >> >> tunnel source 2.2.2.2 >> >> tunnel mode ipsec ipv4 >> >> tunnel destination 1.1.1.1 >> >> tunnel protection ipsec profile IPSEC_3DES_SHA-HMAC >> >> >> >> crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac >> >> >> crypto ipsec profile IPSEC_3DES_SHA-HMAC >> >> set security-association lifetime seconds 28800 >> >> set transform-set TRANSFORM >> >> >> crypto isakmp key test1234 address 1.1.1.1 >> >> crypto isakmp identity hostname >> >> >> ip host router_b 2.2.2.2 >> >> >> *********************************************************************/ >> >> question 1: >> >> do I need to configure agressive mode in the Head office because I use : >> >> match identity host router_b.domain.com >> >> ps: I know in the asa we must configure it with aggressive mode to work >> fine >> >> >> Question2: >> >> What's missing in my configuration for the "identity hostname" because >> it's not working >> >> thanks!!!! >> >> >> >> >> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
