1 2 Previous Next 17 Replies Latest reply: Feb 4, 2019 8:36 PM by Deepak Kumar RSS

    Cisco router IPSec VPN Local and remote ID type

    Deepak Kumar

      Hi All,

      I am stuck in a lab. My IPSec site to site VPN is working fine but I want to set up Local and Remote ID types in the IKEV1. Please guide me with commands to setup remote and local ID type. This will be same like as Fortigate or Sophos Phase 1 ID.

      Regards,

      Deepak Kumar

        • 1. Re: Cisco router IPSec VPN Local and remote ID type
          Juergen Ilse CCNA R&S

          You may try "crypto isakmp hostname". You can set it to either "address" (ip address), "dn" (distinguished name from certificate if you use a certificate for authentication) or "hostname". The default is "dn" if a certificate is used for authentication and "ip address" if pre-shared-key is used.

          • 2. Re: Cisco router IPSec VPN Local and remote ID type
            Deepak Kumar

            Hi,

            How will I define remote ID?

             

            Regards,

            Deepak Kumar

            • 3. Re: Cisco router IPSec VPN Local and remote ID type
              Marvin

              Deepak,

               

              You cannot change the remote ID to be anything other than the remote peer IP address (for PSK-based site-site VPN) or dn (for certificate-based authentication).

              • 4. Re: Cisco router IPSec VPN Local and remote ID type
                Juergen Ilse CCNA R&S

                Deepak Kumar schrieb:

                 

                How will I define remote ID?

                With "crypto isakmp identity hostname" and setting the hostname to the needed isakmp identity string.

                • 5. Re: Cisco router IPSec VPN Local and remote ID type
                  Juergen Ilse CCNA R&S

                  Marvin schrieb:

                   

                  Deepak,

                   

                  You cannot change the remote ID to be anything other than the remote peer IP address (for PSK-based site-site VPN) or dn (for certificate-based authentication).

                  I beg to differ. There are 3 possibilities for "crypto isakmp identity": "address", "dn" and "hostname".

                  • 6. Re: Cisco router IPSec VPN Local and remote ID type
                    Deepak Kumar

                    Hi,

                    I don't want to change the Remote ID but my remote end device Sophos will want to see this device ID.

                     

                    Regards,
                    Deepak Kumar

                    • 7. Re: Cisco router IPSec VPN Local and remote ID type
                      Marvin

                      @juergen,

                       

                      You can enter the different values in the cli but the hostname identified in "show crypto isakmp sa" will still be the IP address. It picks it up from the "tunnel-group" command on the local end. If we try to use something other than the IP address for the remote peer, we get the following error:

                       

                      [WARNING] tunnel-group test.ccielab.com type ipsec-l2l

                      For IKEv1, L2L tunnel-groups that have names which are not an IP

                      address may only be used if the tunnel authentication

                      method is Digital Certificates and/or The peer is

                      configured to use Aggressive Mode

                      • 8. Re: Cisco router IPSec VPN Local and remote ID type
                        Juergen Ilse CCNA R&S

                        Marvin schrieb:

                         

                        @juergen,

                         

                        You can enter the different values in the cli but the hostname identified in "show crypto isakmp sa" will still be the IP address. It picks it up from the "tunnel-group" command on the local end. If we try to use something other than the IP address for the remote peer, we get the following error:

                         

                        [WARNING] tunnel-group test.ccielab.com type ipsec-l2l

                        For IKEv1, L2L tunnel-groups that have names which are not an IP

                        address may only be used if the tunnel authentication

                        method is Digital Certificates and/or The peer is

                        configured to use Aggressive Mode

                        Look at the marked part of text. So it seems to be possible (but for ikev1, it requires in addition to "crypto isakmp identity hostname" also aggressive mode (which is not recommended but possible if you don't use certificattes). I would suggest to use ikev2 when using hostname as tunnel-grouup identifier, but it seems also to be possible with ikev1 if you use aggressive mode.

                        • 9. Re: Cisco router IPSec VPN Local and remote ID type
                          Jon Major CCIE# 47884

                          Deepak Kumar wrote:

                           

                          Hi All,

                          I am stuck in a lab. My IPSec site to site VPN is working fine but I want to set up Local and Remote ID types in the IKEV1. Please guide me with commands to setup remote and local ID type. This will be same like as Fortigate or Sophos Phase 1 ID.

                          Regards,

                          Deepak Kumar

                          Deepak,

                           

                                       There's a lot of great discussion here, but I'm curious, if the VPN is working fine why do you want to change the local and remote IDs?

                          • 10. Re: Cisco router IPSec VPN Local and remote ID type
                            Juergen Ilse CCNA R&S

                            Jon Major CCIE# 47884 schrieb:

                            Deepak,

                             

                                         There's a lot of great discussion here, but I'm curious, if the VPN is working fine why do you want to change the local and remote IDs?

                            I don't know his reason, but one possible reason may be a tunnel endpoint with dynamic ip address and the need to have more than one tunnel on the other side of the tunnel, all with different pre-shared-keys. I use such a setup between my ASA at home and an ASA in the company with an ikev2 based dualstack ipsec tunnel. This setup allows me to use public networks from my company (an ISP) for the networks at home (ipv4 and ipv6), even if my internet connection is via another ISP.

                            • 11. Re: Cisco router IPSec VPN Local and remote ID type
                              Deepak Kumar

                              Hi,

                              Because I have multiple remote sites which are on the dynamic IP and the main site is having more than 50 tunnels. So some time VPN will be stuck and giving me purposal not found. So I need to clear issue with some tricks as make inactive policy which is making an issue for me and will enable it at the end.

                               

                              Regards,

                              Deepak Kumar

                              • 12. Re: Cisco router IPSec VPN Local and remote ID type
                                Jon Major CCIE# 47884

                                Deepak Kumar wrote:

                                 

                                Hi,

                                Because I have multiple remote sites which are on the dynamic IP and the main site is having more than 50 tunnels. So some time VPN will be stuck and giving me purposal not found. So I need to clear issue with some tricks as make inactive policy which is making an issue for me and will enable it at the end.

                                 

                                Regards,

                                Deepak Kumar

                                Deepak,

                                 

                                              Well, first off, this is a perfect use case for either DMVPN or FlexVPN .I know "Hey, use different hardware" isn't a solution though, just putting that out there. Any reason you can't use the DefaultL2L tunnel-group? That's honestly the easiest way to handle Dynamic L2L VPNs on an ASA. There is a solution revolving around using named tunnel-groups, and setting the key-ID on the dynamic peers with "crypto isakmp identity key-id [Tunnel-Group name on ASA Hub side]" Ref link below. The later sounds the most like what you're trying to do.

                                 

                                https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.…

                                 

                                HTH,

                                 

                                 

                                Jon Major

                                • 13. Re: Cisco router IPSec VPN Local and remote ID type
                                  Juergen Ilse CCNA R&S

                                                Well, first off, this is a perfect use case for either DMVPN or FlexVPN .I know "Hey, use different hardware" isn't a solution though, just putting that out there.

                                  ASA for example does not support DMVPN (as far as i know it doesn't even support GRE over IPSEC, which is the base of DMVPN). But i thought, Deepak didn't use ASA but IOS router, where the configuration of IPSEC VPN is different from what you do on an ASA ...

                                  For Cisco ASA, i wrote an article of IPSEC VPN with pre-shared-key authentication: IPSEC-with-Cisco-ASA.pdf

                                  This does also explain the possibilities for IPSEC VPN with ASA and one end with dynamic ip address.

                                  Any reason you can't use the DefaultL2L tunnel-group? That's honestly the easiest way to handle Dynamic L2L VPNs on an ASA. There is a solution revolving around using named tunnel-groups, and setting the key-ID on the dynamic peers with "crypto isakmp identity key-id [Tunnel-Group name on ASA Hub side]" Ref link below. The later sounds the most like what you're trying to do.

                                   

                                  https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.…

                                  With ASA, you may also use the NEM feature for IPSEC remote-access connection (there is also an example in my above mentioned document). If you want to setup an IPSEC tunnel, which also transports IPv6, i think, you have to go to IKEv2, and with IKEv2, you may use different "crypto isakmp identities" on both sides (when i tried that with IKEv1, i was not successful).

                                  • 14. Re: Cisco router IPSec VPN Local and remote ID type
                                    Jon Major CCIE# 47884

                                    Juergen Ilse CCNA R&S wrote:

                                     

                                    ASA for example does not support DMVPN (as far as i know it doesn't even support GRE over IPSEC, which is the base of DMVPN). But i thought, Deepak didn't use ASA but IOS router, where the configuration of IPSEC VPN is different from what you do on an ASA ...

                                    For Cisco ASA, i wrote an article of IPSEC VPN with pre-shared-key authentication: IPSEC-with-Cisco-ASA.pdf

                                    This does also explain the possibilities for IPSEC VPN with ASA and one end with dynamic ip address.

                                     

                                    Juergen,

                                     

                                              Correct, ASA doesn't support DMVPN, hence why I mentioned using different hardware. As for GRE over IPSEC, you do have the option to use a tunnel interface in the form of a VTI in 9.7+ code. It's point-to-point only at this time. My point with bringing up Flex and DMVPN was that those solutions are tailor made for this type of scenario, they're just not available on the ASA. I've used the hardware EZConnect client in the past too, not a bad solution. Good info on the dual-stack capabilities available in IKEv2, but I don't think Deepack is concerned with that.

                                    1 2 Previous Next