FQDN based site to site IPSEC tunnels



  • Prior to code the implementation only support configuration of ip address as remote end point
  • And the implementation mandates use of ip address as src-net.





For a scalable solution to deploy Site-to-Site tunnels using branch office following enhancements done moving from versions

  • Flexibility of configuring FQDN as peer-ip
  • Configuring src-net within crypto map as vlan.
  • Support for factory certs for Site-to-Site will allows customer to use TPM certs and reduce complication of certificate configuration process.


Note: The same enhancements are available for Site-to-Site configuration on controller and not just limited only to BOC solution.


CLI configurations:


(config) #ip domain-name france.inditex.com

Operation may not take effect until a reboot


(config) #ip name-server

Operation may not take effect until a reboot


Note: Reboot the controller in order for the configuration to take effect


(config) #crypto-local ipsec-map toc3 100

(config-ipsec-map)#  version v2

(config-ipsec-map)#  set ikev2-policy 10006

(config-ipsec-map)#  peer-ip payment

(config-ipsec-map)#  vlan 1

(config-ipsec-map)#  src-net vlan 100

(config-ipsec-map)#  dst-net

(config-ipsec-map)#  set transform-set defaul-transform

(config-ipsec-map)#  pre-connect enable

(config-ipsec-map)#  factory-cert-auth

(config-ipsec-map)#  factory-cert-auth enable

(config-ipsec-map)#  trusted enable

(config-ipsec-map)#  uplink-failover disable

(config-ipsec-map)#  ip-compression disable

(config-ipsec-map)#  force-natt disable


UI Configuration:






#show crypto isakmp sa


ISAKMP SA Active Session Information


Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------     i-v2-c    Jul 16 14:30:25     -


Flags: i = Initiator; r = Responder

       m = Main Mode; a = Aggressive Mode; v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP

       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1


#show crypto ipsec sa


IPSEC SA (V2) Active Session Information


Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------       4b279b00/745c4100  T2    Jul 16 14:26:22     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2


Total IPSEC SAs: 1



#show crypto-local ipsec-map | begin toc3

Crypto Map Template"toc3" 100

         IKE Version: 2

         IKEv2 Policy: DEFAULT

         Security association lifetime seconds : [300 -86400]

         Security association lifetime kilobytes: N/A

         PFS (Y/N): N

         Transform sets={ default-transform }

         Peer gateway: payment

         Interface: VLAN 1

         Source network: vlan 100

         Destination network:

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N

         Uplink Failover (Y/N): N

         IP Compression (Y/N): N

         Factory Certificate


Version history
Revision #:
2 of 2
Last update:
‎05-30-2016 02:42 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: