hello Kingsley,

First I would like to thank you for putting your efforts into this great
informative post. However let me argue that:
1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
different from MM where PSK must be based on the peer address as the PSK is
used in the DH KE algorithm. Thus I do believe there is no reason for the
initiator to look the peer address/hostname of the remote peer while
initiating. I hope someone can shed more light into this. As per your
statement:

"The peer initiating the AM, sees the IP address in the crypto map and tries
to find a matching pre-shared key, when there is an interesting traffic".
The question raised is why it can't send based on hostnames.

In AM as per my understanding the DH KE works in parallel with IKE IDs and
authentication process, i.e. the IDs are exchanged in the clear. While I
believe it should work this way:
1)Initiator sends to responder its ISAKMP Policy with its different
parameters & the responder replies having accepted a policy.
2)DH KE & IKE IDs exchange for authentication happen simultaneously.

Gents will appreciate your support on this:)

Thanks Kingsley:)



On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles <
[email protected]> wrote:

> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>
> Let me put my understanding:
>
> Aggressive mode can be used where the IP address of a peer keeps changing.
>
> 1) One peer will be configured for dynamic crypto map and this is the hub
> or server as the spoke's IP address keep changing.
> 2) The other peers will be configured with static crypto map with "set
> peer" of the hub's IP address.
> 3) Since the address of spokes keep changing, I opt for configuring
> hostnames on hub for the pre-shared keys.
> 4) In that case, the spokes should send the identity in hostnames.
> 5) The hub should send the identity in address.
>
> If you want to initiate AM, there are two ways either use isakmp profile
> with "initiate mode aggressive" or "crypto isakmp peer address" which
> doesn't need profiles.
>
> In AM, the risk is that the identity of the peers are revealed during
> ISAKMP phase 1. Since, the spoke's address changes there is not much risk
> but still the hub's address is exposed.
>
> The peer initiating the AM, sees the IP address in the crypto map and tries
> to find a matching pre-shared key, when there is an interesting traffic.If
> you configure
> as a hostname, then it can't find a match. Hence on the peer which
> initiates the AM, you need to configure with IP address. The hub can be
> configured hostname as it receiver not the initiator.
>
>
> *Spokes config*
>
> ip domain-name cisco.com
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco address 10.20.30.42
>
> crypto isakmp profile prof
>
> ! This profile is incomplete (no match identity statement)
>    keyring default
>    self-identity fqdn
>    initiate mode aggressive
>
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.20.30.42
>  set transform-set tran
>  set isakmp-profile prof
>  match address 123
>
> interface GigabitEthernet0/0
>  crypto map cisco
>
>
> *Hub's config*
>
>
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco hostname router1.cisco.com
> crypto isakmp identity address
>
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>
> crypto dynamic-map dynmap 1
>  set transform-set tran
>
> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>
> interface GigabitEthernet0/0
>  crypto map cisco
>
> Instead of dynamic crypto map, you can use static crypto map on the hub as
> following. the logic is still the same.
>
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.20.30.41
>  set transform-set tran
>  match address 123
>
> interface GigabitEthernet0/0
>  crypto map cisco
>
>
>
> Without ISAKMP profiles, you can initiate AM. Please refer to
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>
> With regards
> Kings
>
>
> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote:
>
>> I've had this issue before. I made this works in 2 ways
>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>> or
>> 2 - add a local host entry on the router mapping the hostname XXXX to
>> 136.1.122.2
>>
>> If this is correct, I don't know and never had anyone to explain me why
>>
>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote:
>>
>>> Dear Experts,
>>>
>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles,
>>> however I am not able to get why it doesn't work when running the debugs I
>>> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert
>>> despite the fact that it exists. I would appreciate any input.
>>>
>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>
>>> crypto isakmp profile AGGRESSIVE
>>> ! This profile is incomplete (no match identity statement)
>>>    keyring default
>>>    self-identity fqdn
>>>    initiate mode aggressive
>>> !
>>>
>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>> !
>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>> crypto map R1R2 10 ipsec-isakmp
>>>  set peer 136.1.122.2
>>>  set transform-set R1R2
>>>  match address LO12
>>>
>>>
>>> interface FastEthernet0/0
>>>  ip address 136.1.121.1 255.255.255.0
>>>  duplex auto
>>>  speed auto
>>>  crypto map R1R2
>>>
>>>
>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer
>>> port 500
>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>> peer_handle = 0x80000010
>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1
>>> for isakmp_initiator
>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying
>>> Main mode.
>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start
>>> Main mode
>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>> isadb_unlock_peer_delete_sa(), count 0
>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>> 136.1.122.2: 83D50508
>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to
>>> initialize SA
>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error
>>> 2.
>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>>> message(s)
>>>
>>> Thanks
>>>
>>> Best Regards
>>>
>>> --
>>> KJ
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>>
>> --
>> Bruno Fagioli (by Jaunty Jackalope)
>> Cisco Security Professional
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>


-- 
KJ
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to