How to determine the correct value to put in the PAN IKE peer KEYID field?
When configuring a Cisco ASA key-id field, how do you determine the correct value to put in the PAN IKE peer KEYID field?
The Cisco-ASA allows any ASCII string input. This ASCII string key-id must be converted to hexadecimal before using it in the PAN’s dynamic IKE Peer KEYID field.
- Cisco ASA isakmp key-id: foobar
- PAN dynamic peer KEYID: 666f6f626172
Packet capture the traffic from the dynamic peer as it arrives at the PAN (debug ike pcap on; debug ike pcap off; scp export debug-pcap from ikemgr.pcap) and examine in wireshark. The HEX and ASCII values in the first IKE packet from the dynamic peer is listed.
Hex to ASCII converter tool:
Sonicwall, Juniper and Netscreen use ASCII for the key ID as well.