Re: [OSL | CCIE_Security] isakmp-profiles

[Pieter-Jan Nefkens]

Hi Paul,Kings, I quickly checked that, and you can use a specific trustpoint in an isakmp profile. Command is ca trust-point: (conf-isa-prof)#ca trust-point ?   WORD  Specify the trust-point label to use Excerpt from the white paper from Cisco.com: ISAKMP Profile Parameters Configuration There can be zero or more ISAKMP profiles on the Cisco IOS router. Following is a list of parameters that can be configured per profile: 1. self-identity {address | fqdn | user-fqdn user-fqdn}: Specifies the identity that the local IKE should use to identify itself to the remote peer. • If not defined, IKE uses the global configured value. • address-Uses the IP address of the egress interface. • fqdn-Uses the FQDN of the router. • user-fqdn-Uses the specified value. 2. keyring keyring-name: Specifies the keyring to use for Phase 1 authentication. • If the keyring is not specified, the global key definitions are used. 3. ca trust-point {trustpoint-name}: Specifies a trustpoint to validate a Rivest, Shamir, and Adelman (RSA) certificate. If no trustpoint is specified in the ISAKMP profile, all the trustpoints that are configured on the Cisco IOS router are used to validate the certificate. 4. client configuration address {initiate | respond}: This command is used with Easy VPN Server; it specifies whether to initiate the mode configuration exchange or respond to mode configuration requests. 5. client authentication list list-name: AAA to use for authenticating the remote client during the extended authentication (XAUTH) exchange. 6. isamkp authorization list list-name: Network authorization server for receiving the Phase 1 preshared key and other attribute-value (AV) pairs. 7. initiate mode aggressive: Initiates aggressive mode exchange. If not specified, IKE always initiates Main Mode exchange. 8. keepalive seconds retry retry-seconds: Allows the gateway to send dead peer detection (DPD) messages to the peer. If not defined, the gateway uses the global configured value. Note: The ISAKMP profile properties are applied as additional parameters to the ISAKMP policy configuration in the router. Details on the parameters configured under the ISAKMP policy are included in the ISAKMP policy configuration section below. URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html HTH Kind regards PIeter-Jan Nefkens On 2 apr 2010, at 14:06, Paul Stewart wrote: I'm not at a pc but I think the trustpoint can be assigned in isakmp profile. Maybe 'ca trustpoint' On Apr 2, 2010, at 8:00 AM, Kingsley Charles <kingsley.char...@gmail.com> wrote: Hi Paul   I am not sure, if the ISAKMP profiles will affect the outbound property. Under the ISAKMP profiles "initiate mode" of whether AM or MM seems to be initiating property.   The outbound things that needs to sent in the ISAKMP phase 1 are   ISAKMP polices DH key exchange Pre-shared key or Certs   ISAKMP profiles has the keyring and may be can send them. But, there is no option to associate a trustpoint to send the certs.     Please share your findings after your lab.       With regards Kings On Fri, Apr 2, 2010 at 5:03 PM, Paul Stewart <pestew...@gmail.com> wrote: Kings,  Thanks for the quick reply. What triggerred my thought process was the asa to router VPN config in Yusuf's lab one. The question requires that the ios check for an issuer string and a subject string. The cert map is called in the isakmp profile. The crypto map calls the profile. It seems to me that the checks would definitely happen on outbound connections. However on inbound connections, a failed match would just mean there is no isakmp profile if the crypto map set isakmp-profile is not enforced on inbound connections.  That's the clarification I'm trying to work through.  On Apr 2, 2010, at 7:07 AM, Kingsley Charles <kingsley.char...@gmail.com> wrote: Comments line On Fri, Apr 2, 2010 at 4:04 PM, Paul Stewart <pestew...@gmail.com> wrote:   I have a simple question about isakmp-profiles with IOS.  My understanding is that if you use a match statement within the profile and it returns true that this is an responder profile.  If there is a "set isakmp-profile" statement in the crypto map this is an initiator profile.  So my question is does the "set isakmp-profile" statement in the crypto map "lock" that crypto map peer to the isakmp profile.  In other words if an incoming isakmp session matched another (or matched no profiles) but was still valid based on other isakmp parameters, would the peer establishment be permitted.  I will probably lab it up tonight to experiment with it myself, but was curious as to what others experiences were.       More or less, it is a lock only. The ISAKMP pofiles have been brought in to solve issues when there are two IPSec polices matching a same IKE request.   Two reasons for which ISAKMP profiles are used now are:   DMVPN hub and EzVPN server on the same router   Due to this spokes are requested for Xauth. ISAKMP resolves this issue   IPSec with VRFs   IPSec with VRFs require ISAKMP profiles as request comes to the same IPSec profile     The ISAKMP profile pulls the IKE request before getting considered globally. If the ISAKMP request doesn't match any profiles, then it gets checked for the global keys or trustpoint.           Similarly in the ASA, we have tunnel-group-maps to land connections on profiles.  Are those bi-directional.  In other words, if I had a created 3 for a single peer an of those tunnel-groups 1). that matched an OU in a cert and 2) one that matched the only IP address, and 3) one that mapped the IKE ID, Would the selection of an outbound connection profile in the initiator role be the same as the selection of an inbound connection profile in the responder role with the same peer in every case?       I think, Tunnel group is only for recieving not for initially. The order of tunnel group land check is   OU IKE ID IP address  The crypto map is the one that initiate the VPN connection.   With regards King _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com   _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: pjnefk...@nefkensadvies.nl Web: http://www.nefkensadvies.nl/  Think before you print.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com