Dnyaneshwar,
Several things are missing. You have defined hostnames for negotiation but have no means of resolving the hostnames to IP addresses. Secondly to run aggressive mode and use hostnames for IKE negotiation you need to configure isakmp peer sets on each side. Have you completed Lab13 in Volume 2 yet? Volume 2 Lab13 uses this exact scenario for task 4.4. You can look at the solution guide there for further explanation on how to do the scenario you are doing. Let me know if you need further clarification. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of Dnyaneshwar Gore Sent: Saturday, September 19, 2009 11:00 PM To: [email protected] Subject: [OSL | CCIE_Security] VPN: IOS IKE with aggressive mode Hi All, I am trying to setup IOS (12.4T) IKE with aggressive mode & hostname as IKE ID between two routers and ASA in-between them. Following is the diagram: Fa0/1 Router : R1 Fa0/0 ------------------- Inside ASA Outside ---------------------------------Fa0/0 Router: R2 Fa0/1 ------------------------------------------Fa0/0 Router : R3 Fa0/1 (192.168.1.1/24) (136.1.121.13) 136.1.121.12 136.1.123.12 136.1.123.13 136.1.23.12 136.1.23.13 Some of the main points about this setup: * ASA is doing PAT for inside hosts using outside interface IP address * Hostname is used as IKE ID * Router R1 will initiate VPN connection. * ISAKMP profile is used on router R1 to initiate Aggressive mode. I have attached routers and ASA configurations for your reference. I am getting following error in Router R1 when I send ping traffic from R1 with source interface Fa0/1 R1#ping 136.1.23.13 source fa0/1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 136.1.23.13, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 *Sep 20 03:04:22.892: ISAKMP:(0): SA request profile is AGR *Sep 20 03:04:22.892: ISAKMP: Created a peer struct for 136.1.123.13, peer port 500 *Sep 20 03:04:22.892: ISAKMP: New peer created peer = 0x46E0C9E8 peer_handle = 0 x8000001F *Sep 20 03:04:22.896: ISAKMP: Locking peer struct 0x46E0C9E8, refcount 1 for isa kmp_initiator *Sep 20 03:04:22.896: ISAKMP: local port 500, remote port 500 *Sep 20 03:04:22.896: ISAKMP: set new node 0 to QM_IDLE *Sep 20 03:04:22.896: insert sa successfully sa = 47356FC8 *Sep 20 03:04:22.896: ISAKMP:(0):Can not start Aggressive mode, trying Main mode . *Sep 20 03:04:22.896: ISAKMP:(0): No Cert or pre-shared address key. *Sep 20 03:04:22.896: ISAKMP:(0): construct_initial_message: Can not start Main mode *Sep 20 03:04:22.896: ISAKMP: Unlocking peer struct 0x46E0C9E8 for isadb_unlock_ peer_delete_sa(), count 0 *Sep 20 03:04:22.896: ISAKMP: Deleting peer node by peer_reap for 136.1.123.13: 46E0C9E8 *Sep 20 03:04:22.896: ISAKMP:(0):purging SA., sa=47356FC8, delme=47356FC8 *Sep 20 03:04:22.896: ISAKMP:(0):purging node -98067428 *Sep 20 03:04:22.896: ISAKMP: Error while processing SA request: Failed to initi alize SA *Sep 20 03:04:22.896: ISAKMP: Error while processing KMI message 0, error 2..... . Success rate is 0 percent (0/5) I am not able to figure out what is the mistake. Also I could not find out configuration example for aggressive mode in 12.4T IOS. Kindly help me in this problem. Regards, D.M.Gore
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
