FQDN based site to site IPSEC tunnels

By esupport posted Mar 07, 2016 05:33 PM


Customer needs a scalable solution to deploy Site-to-Site tunnels using branch office controller solution, the prior code implementation only support configuration of ip address as remote end point and mandates use of ip address as src-net.







Starting from we have the flexibility of configuring FQDN as peer-ip. This provides the with the ease of configuring same FQDN across different branches which might resolve to different IP addresses locally based on local DNS setting

Configuring src-net within crypto map as vlan.  In BOC solution, ip addresses are carved out when branch talks to the master. As a result, ip addresses are not known beforehand.

This feature allows them to configure vlan as source network. When the configuration is pushed to the branch, the ip address range carved out for that vlan in that branch will be used during IKE negotiation. This provides them the flexibility of pushing the same configuration of source network across all branches which would negotiate different source networks based on ip pools carved out for that vlan in that branch.

Support for factory certs for Site-to-Site will allows customer to use TPM certs and reduce complication of certificate configuration process.


Config CLI:

ip domain-name france.inditex.com
ip name-server
crypto-local ipsec-map toc3 100
  version v2
  set ikev2-policy 10006
  peer-ip payment
  vlan 1
 src-net vlan 100
  set transform-set "default-transform"
  pre-connect enable
 factory-cert-auth enable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt disable








(C1) #show crypto isakmp sa


ISAKMP SA Active Session Information


Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------     i-v2-c    Jul 16 14:30:25     -


Flags: i = Initiator; r = Responder

       m = Main Mode; a = Agressive Mode; v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP

       V = VIA; S = VIA over TCP


Total ISAKMP SAs: 1


(C1) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information


Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------       4b279b00/745c4100  T2    Jul 16 14:26:22     -


Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2


Total IPSEC SAs: 1


(C1) #show crypto-local ipsec-map | begin toc3

Crypto Map Template"toc3" 100

         IKE Version: 2

         IKEv2 Policy: DEFAULT

         Security association lifetime seconds : [300 -86400]

         Security association lifetime kilobytes: N/A

         PFS (Y/N): N

         Transform sets={ default-transform }

         Peer gateway: payment

         Interface: VLAN 1

         Source network: vlan 100

         Destination network:

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N

         Uplink Failover (Y/N): N

         IP Compression (Y/N): N

         Factory Certificate