Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. Let me put my understanding:
Aggressive mode can be used where the IP address of a peer keeps changing. 1) One peer will be configured for dynamic crypto map and this is the hub or server as the spoke's IP address keep changing. 2) The other peers will be configured with static crypto map with "set peer" of the hub's IP address. 3) Since the address of spokes keep changing, I opt for configuring hostnames on hub for the pre-shared keys. 4) In that case, the spokes should send the identity in hostnames. 5) The hub should send the identity in address. If you want to initiate AM, there are two ways either use isakmp profile with "initiate mode aggressive" or "crypto isakmp peer address" which doesn't need profiles. In AM, the risk is that the identity of the peers are revealed during ISAKMP phase 1. Since, the spoke's address changes there is not much risk but still the hub's address is exposed. The peer initiating the AM, sees the IP address in the crypto map and tries to find a matching pre-shared key, when there is an interesting traffic.If you configure as a hostname, then it can't find a match. Hence on the peer which initiates the AM, you need to configure with IP address. The hub can be configured hostname as it receiver not the initiator. *Spokes config* ip domain-name cisco.com crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 10.20.30.42 crypto isakmp profile prof ! This profile is incomplete (no match identity statement) keyring default self-identity fqdn initiate mode aggressive crypto ipsec transform-set tran esp-3des esp-sha-hmac crypto map cisco 1 ipsec-isakmp set peer 10.20.30.42 set transform-set tran set isakmp-profile prof match address 123 interface GigabitEthernet0/0 crypto map cisco *Hub's config* crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco hostname router1.cisco.com crypto isakmp identity address crypto ipsec transform-set tran esp-3des esp-sha-hmac crypto dynamic-map dynmap 1 set transform-set tran crypto map cisco 1 ipsec-isakmp dynamic dynmap interface GigabitEthernet0/0 crypto map cisco Instead of dynamic crypto map, you can use static crypto map on the hub as following. the logic is still the same. crypto ipsec transform-set tran esp-3des esp-sha-hmac crypto map cisco 1 ipsec-isakmp set peer 10.20.30.41 set transform-set tran match address 123 interface GigabitEthernet0/0 crypto map cisco Without ISAKMP profiles, you can initiate AM. Please refer to http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml With regards Kings On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote: > I've had this issue before. I made this works in 2 ways > 1 - add also "crypto isakmp key CISCO address 136.1.122.2 > or > 2 - add a local host entry on the router mapping the hostname XXXX to > 136.1.122.2 > > If this is correct, I don't know and never had anyone to explain me why > > On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote: > >> Dear Experts, >> >> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles, >> however I am not able to get why it doesn't work when running the debugs I >> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert >> despite the fact that it exists. I would appreciate any input. >> >> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >> >> crypto isakmp profile AGGRESSIVE >> ! This profile is incomplete (no match identity statement) >> keyring default >> self-identity fqdn >> initiate mode aggressive >> ! >> >> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >> ! >> crypto map R1R2 isakmp-profile AGGRESSIVE >> crypto map R1R2 10 ipsec-isakmp >> set peer 136.1.122.2 >> set transform-set R1R2 >> match address LO12 >> >> >> interface FastEthernet0/0 >> ip address 136.1.121.1 255.255.255.0 >> duplex auto >> speed auto >> crypto map R1R2 >> >> >> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer >> port 500 >> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >> peer_handle = 0x80000010 >> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 >> for isakmp_initiator >> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main >> mode. >> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start >> Main mode >> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >> isadb_unlock_peer_delete_sa(), count 0 >> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >> 136.1.122.2: 83D50508 >> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8 >> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to >> initialize SA >> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error >> 2. >> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >> message(s) >> >> Thanks >> >> Best Regards >> >> -- >> KJ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
