Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.

Let me put my understanding:

Aggressive mode can be used where the IP address of a peer keeps changing.

1) One peer will be configured for dynamic crypto map and this is the hub or
server as the spoke's IP address keep changing.
2) The other peers will be configured with static crypto map with "set peer"
of the hub's IP address.
3) Since the address of spokes keep changing, I opt for configuring
hostnames on hub for the pre-shared keys.
4) In that case, the spokes should send the identity in hostnames.
5) The hub should send the identity in address.

If you want to initiate AM, there are two ways either use isakmp profile
with "initiate mode aggressive" or "crypto isakmp peer address" which
doesn't need profiles.

In AM, the risk is that the identity of the peers are revealed during ISAKMP
phase 1. Since, the spoke's address changes there is not much risk but still
the hub's address is exposed.

The peer initiating the AM, sees the IP address in the crypto map and tries
to find a matching pre-shared key, when there is an interesting traffic.If
you configure
as a hostname, then it can't find a match. Hence on the peer which initiates
the AM, you need to configure with IP address. The hub can be configured
hostname as it receiver not the initiator.


*Spokes config*

ip domain-name cisco.com
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco address 10.20.30.42

crypto isakmp profile prof
! This profile is incomplete (no match identity statement)
   keyring default
   self-identity fqdn
   initiate mode aggressive

crypto ipsec transform-set tran esp-3des esp-sha-hmac

crypto map cisco 1 ipsec-isakmp
 set peer 10.20.30.42
 set transform-set tran
 set isakmp-profile prof
 match address 123

interface GigabitEthernet0/0
 crypto map cisco


*Hub's config*


crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco hostname router1.cisco.com
crypto isakmp identity address

crypto ipsec transform-set tran esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1
 set transform-set tran

crypto map cisco 1 ipsec-isakmp dynamic dynmap

interface GigabitEthernet0/0
 crypto map cisco

Instead of dynamic crypto map, you can use static crypto map on the hub as
following. the logic is still the same.

crypto ipsec transform-set tran esp-3des esp-sha-hmac

crypto map cisco 1 ipsec-isakmp
 set peer 10.20.30.41
 set transform-set tran
 match address 123

interface GigabitEthernet0/0
 crypto map cisco



Without ISAKMP profiles, you can initiate AM. Please refer to
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml

With regards
Kings

On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote:

> I've had this issue before. I made this works in 2 ways
> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
> or
> 2 - add a local host entry on the router mapping the hostname XXXX to
> 136.1.122.2
>
> If this is correct, I don't know and never had anyone to explain me why
>
> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote:
>
>> Dear Experts,
>>
>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles,
>> however I am not able to get why it doesn't work when running the debugs I
>> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert
>> despite the fact that it exists. I would appreciate any input.
>>
>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>
>> crypto isakmp profile AGGRESSIVE
>> ! This profile is incomplete (no match identity statement)
>>    keyring default
>>    self-identity fqdn
>>    initiate mode aggressive
>> !
>>
>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>> !
>> crypto map R1R2 isakmp-profile AGGRESSIVE
>> crypto map R1R2 10 ipsec-isakmp
>>  set peer 136.1.122.2
>>  set transform-set R1R2
>>  match address LO12
>>
>>
>> interface FastEthernet0/0
>>  ip address 136.1.121.1 255.255.255.0
>>  duplex auto
>>  speed auto
>>  crypto map R1R2
>>
>>
>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer
>> port 500
>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>> peer_handle = 0x80000010
>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1
>> for isakmp_initiator
>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main
>> mode.
>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start
>> Main mode
>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>> isadb_unlock_peer_delete_sa(), count 0
>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>> 136.1.122.2: 83D50508
>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to
>> initialize SA
>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error
>> 2.
>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>> message(s)
>>
>> Thanks
>>
>> Best Regards
>>
>> --
>> KJ
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
>
> --
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to