I'm trying to work with another party to set up a site-to-site IPsec VPN between us and them. We are behind NAT, so need their Cisco (ASA 5510 on IOS 9.1.7) to match on our IKE id (key-id in Cisco parlance). The problem is the other party has said that they can only enable key-id on a global level, not on a tunnel-level, so they aren't able to do so due to impacting other VPNs.
Is this correct, key-id matching is an all or nothing thing? If enabled it's used for all tunnels, not just the ones that require it? The only literature I've found on it is from Cisco itself and does seem to imply a global scope, but I'm not an expert in Cisco config hence this question.
To change the peer identification method, enter the following command:
crypto isakmp identity {address | hostname | key-id id-string | auto}
Are there any other alternatives to get an IPsec tunnel correctly matching when we are NAT'd? We are restricted to IPsec and IKEv1 using PSK. Certificates aren't an option unfortunately.
In the documentation you provided it states the following:
Rather than authenticating with the Key ID, I would use Pre-Shared-Keys. Replace x.x.x.x with your globally known IP. z.z.z.z would be their globally known address.
The remote ASA Code would look something like this:
If you have a Cisco IOS Router, your code may looks something like this:
key 0orpre-shared-key 0denotes that the following PSK is unencypted. It is not a unique value that must be the same on both sides of the tunnel.