IPSEC problem with pre-share/hostname

I've been trying to create a more streamlined configuration for a 2851 I'm using to establish IPSEC tunnels with a remote site that moves around.

As part of this I wanted to change the allocation of pre-shared keys from using addresses to hostnames. To this end, I started by defining a hostname entry:

ip host remote-host

I then issued the following commands:

no crypto isakmp key dunkin address crypto isakmp key dunkin hostname remote-host

After doing this, the IPSEC tunnel stopped working until I carried out the following:

no crypto isakmp key dunkin hostname remote-host crypto isakmp key dunkin address

It appears as though the option of defining a pre-shared key for a hostname entry either doesn't work, or I've misunderstood what it does. I can obviously workaround this, but it stops my 'automated' IP change script from working.

If anyone has any experience here, I'd appreciate comments...

Cheers, Chris

Reply to
Loading thread data ...

Reply to

Hi Brad,

Thanks for that. I did some more searching and eventually found a Cisco document that suggested the following commands should work:

On Central:

crypto identity hostname crypto isakmp key keystring hostname remote.company.com ip host remote.company.com

On Remote:

crypto identity hostname crypto isakmp key keystring hostname central.company.com ip host central.company.com

I tried this, but still saw debug messages on the central router saying 'no pre-shared key found for'.

After even more searching, I found the following statement in another Cisco doc:

"Preshared keys no longer work when hostname is sent as the identity; thus, hostname as the identity in preshared key authentication is no longer supported. According to the way preshared key authentication is designed in IKE main mode, the preshared keys must be based on the IP address of the peers. Although a user can still send the hostname as identity in preshared key authentication, the key is searched on the IP address of the peer; if the key is not found (based on the IP address), the negotiation will fail."

So in short, I can't do it...

Cheers again, Chris

Reply to


Never used it or studied it seriously.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.