That leaves me with the question of when the ios router is in
responder mode is the set isakmp-profile on the crypto map. Is it
enforced if the incoming isakmp session misses the isakmp profile (but
authenticates snd builds a phase 1 sa) and tries to establish a phase
2 sa to a crypto map entry with a set isakmp-profile specified.
On Apr 2, 2010, at 8:29 AM, Pieter-Jan Nefkens <[email protected]
> wrote:
Hi Paul,Kings,
I quickly checked that, and you can use a specific trustpoint in an
isakmp profile.
Command is ca trust-point:
(conf-isa-prof)#ca trust-point ?
WORD Specify the trust-point label to use
Excerpt from the white paper from Cisco.com:
ISAKMP Profile Parameters Configuration
There can be zero or more ISAKMP profiles on the Cisco IOS router.
Following is a list of parameters that can be configured per profile:
1. self-identity {address | fqdn | user-fqdn user-fqdn}: Specifies
the identity that the local IKE should use to identify itself to the
remote peer.
• If not defined, IKE uses the global configured value.
• address-Uses the IP address of the egress interface.
• fqdn-Uses the FQDN of the router.
• user-fqdn-Uses the specified value.
2. keyring keyring-name: Specifies the keyring to use for Phase 1
authentication.
• If the keyring is not specified, the global key definitions are us
ed.
3. ca trust-point {trustpoint-name}: Specifies a trustpoint to
validate a Rivest, Shamir, and Adelman (RSA) certificate. If no
trustpoint is specified in the ISAKMP profile, all the trustpoints
that are configured on the Cisco IOS router are used to validate the
certificate.
4. client configuration address {initiate | respond}: This command
is used with Easy VPN Server; it specifies whether to initiate the
mode configuration exchange or respond to mode configuration requests.
5. client authentication list list-name: AAA to use for
authenticating the remote client during the extended authentication
(XAUTH) exchange.
6. isamkp authorization list list-name: Network authorization server
for receiving the Phase 1 preshared key and other attribute-value
(AV) pairs.
7. initiate mode aggressive: Initiates aggressive mode exchange. If
not specified, IKE always initiates Main Mode exchange.
8. keepalive seconds retry retry-seconds: Allows the gateway to send
dead peer detection (DPD) messages to the peer. If not defined, the
gateway uses the global configured value.
Note: The ISAKMP profile properties are applied as additional
parameters to the ISAKMP policy configuration in the router. Details
on the parameters configured under the ISAKMP policy are included in
the ISAKMP policy configuration section below.
URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html
HTH
Kind regards
PIeter-Jan Nefkens
On 2 apr 2010, at 14:06, Paul Stewart wrote:
I'm not at a pc but I think the trustpoint can be assigned in
isakmp profile. Maybe 'ca trustpoint'
On Apr 2, 2010, at 8:00 AM, Kingsley Charles <[email protected]
> wrote:
Hi Paul
I am not sure, if the ISAKMP profiles will affect the outbound
property. Under the ISAKMP profiles "initiate mode" of whether AM
or MM seems to be initiating property.
The outbound things that needs to sent in the ISAKMP phase 1 are
ISAKMP polices
DH key exchange
Pre-shared key or Certs
ISAKMP profiles has the keyring and may be can send them. But,
there is no option to associate a trustpoint to send the certs.
Please share your findings after your lab.
With regards
Kings
On Fri, Apr 2, 2010 at 5:03 PM, Paul Stewart <[email protected]>
wrote:
Kings,
Thanks for the quick reply. What triggerred my thought process was
the asa to router VPN config in Yusuf's lab one. The question
requires that the ios check for an issuer string and a subject
string. The cert map is called in the isakmp profile. The crypto
map calls the profile. It seems to me that the checks would
definitely happen on outbound connections. However on inbound
connections, a failed match would just mean there is no isakmp
profile if the crypto map set isakmp-profile is not enforced on
inbound connections. That's the clarification I'm trying to work
through.
On Apr 2, 2010, at 7:07 AM, Kingsley Charles <[email protected]
> wrote:
Comments line
On Fri, Apr 2, 2010 at 4:04 PM, Paul Stewart
<[email protected]> wrote:
I have a simple question about isakmp-profiles with IOS. My
understanding is that if you use a match statement within the
profile
and it returns true that this is an responder profile. If there
is a
"set isakmp-profile" statement in the crypto map this is an
initiator
profile. So my question is does the "set isakmp-profile"
statement in
the crypto map "lock" that crypto map peer to the isakmp
profile. In
other words if an incoming isakmp session matched another (or
matched
no profiles) but was still valid based on other isakmp parameters,
would the peer establishment be permitted. I will probably lab
it up
tonight to experiment with it myself, but was curious as to what
others experiences were.
More or less, it is a lock only. The ISAKMP pofiles have been
brought in to solve
issues when there are two IPSec polices matching a same IKE
request.
Two reasons for which ISAKMP profiles are used now are:
DMVPN hub and EzVPN server on the same router
Due to this spokes are requested for Xauth. ISAKMP resolves this
issue
IPSec with VRFs
IPSec with VRFs require ISAKMP profiles as request comes to the
same IPSec profile
The ISAKMP profile pulls the IKE request before getting
considered globally.
If the ISAKMP request doesn't match any profiles, then it gets
checked for the global keys or trustpoint.
Similarly in the ASA, we have tunnel-group-maps to land
connections on
profiles. Are those bi-directional. In other words, if I had a
created 3 for a single peer an of those tunnel-groups 1). that
matched
an OU in a cert and 2) one that matched the only IP address, and 3)
one that mapped the IKE ID, Would the selection of an outbound
connection profile in the initiator role be the same as the
selection
of an inbound connection profile in the responder role with the
same
peer in every case?
I think, Tunnel group is only for recieving not for initially.
The order of tunnel group land check is
OU
IKE ID
IP address
The crypto map is the one that initiate the VPN connection.
With regards
King
_______________________________________________
For more information regarding industry leading CCIE Lab
training, please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please visit www.ipexpert.com
---
Nefkens Advies
Enk 26
4214 DD Vuren
The Netherlands
Tel: +31 183 634730
Fax: +31 183 690113
Cell: +31 654 323221
Email: [email protected]
Web: http://www.nefkensadvies.nl/
<green.gif> Think before you print.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
