Hello all: I am having problems configuring Ipsec with ISAKMP with preshared keys, when I am using hostnames, when the keys are linked to hostnames, rather than addresses. Here is what I have observed * When I link the Isakmp key to an address of the peer router, everything works cool - the ISAKMP SA is built, the Ipsec SA is built, and traffic goes through fine. * The routers can discover each other through hostnames just fine, because I have set up the ip host lists to do so. For example, router A can ping router B using its hostname (b.office.com) because I have set up ip host lists linked to the addresses of all routers. So, when I'm sitting at router A, I can type the command "ping b.office.com" and it works fine. * Then I try to use ISAKMP, where the preshared keys are linked to hostnames, not addresses. For example, I got the commands "crypto isakmp key myisakmpkey hostname a.office.com" and "crypto isakmp identity hostname", just like what the documentation says to do. But now, Ipsec doesn't work. Every time I invoke traffic that matches the ipsec access-list, the Isakmp SA is never built. I do "debug crypto isakmp", and I see the following error: 1w3d: ISAKMP: received ke message (1/1) 1w3d: ISAKMP: local port 500, remote port 500 1w3d: ISAKMP (0:1): No Cert or pre-shared address key. 1w3d: ISAKMP (0:1): Can not start Main mode 1w3d: ISAKMP: 10.1.1.253 not in host cache 1w3d: ISAKMP (0:1): Can not start aggressive mode. 1w3d: ISAKMP (0:1): purging SA. 1w3d: ISAKMP (0:1): purging node 1802417347 Then, when I change the ISAKMP key to link it back to an address, not a hostname, everything's cool again. So basically I conclude that the key is not properly linking to the hostname (even though the hostname is linked to the proper address via an ip host statement). Has anybody else ever encountered this problem? I have tried this on 12.2(T) and 12.1(T) with the same results. Anybody find some kind of workaround? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=19161&t=19161 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
