True with AM, the pre-shared key is not used with shared secret to generate
the encryption key.

But how will the peer initiating,  AM find a matching pre-shared keys with
hostnames. The pre-shared key should be sent as an hash to other peer which
also hashes it's pre-shared key and sees if it matches. Irrespective of
whether it is AM or MM, this will happen. If you have configured hostname
for the pre-shared key, how will IOS find a matching key?

Anyway let's wait for others comment too.


With regards
Kings

On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <[email protected]>wrote:

> hello Kingsley,
>
> First I would like to thank you for putting your efforts into this great
> informative post. However let me argue that:
> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
> different from MM where PSK must be based on the peer address as the PSK is
> used in the DH KE algorithm. Thus I do believe there is no reason for the
> initiator to look the peer address/hostname of the remote peer while
> initiating. I hope someone can shed more light into this. As per your
> statement:
>
> "The peer initiating the AM, sees the IP address in the crypto map and
> tries to find a matching pre-shared key, when there is an interesting
> traffic". The question raised is why it can't send based on hostnames.
>
> In AM as per my understanding the DH KE works in parallel with IKE IDs and
> authentication process, i.e. the IDs are exchanged in the clear. While I
> believe it should work this way:
> 1)Initiator sends to responder its ISAKMP Policy with its different
> parameters & the responder replies having accepted a policy.
> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>
> Gents will appreciate your support on this:)
>
> Thanks Kingsley:)
>
>
>
>
> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles <
> [email protected]> wrote:
>
>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>>
>> Let me put my understanding:
>>
>> Aggressive mode can be used where the IP address of a peer keeps changing.
>>
>>
>> 1) One peer will be configured for dynamic crypto map and this is the hub
>> or server as the spoke's IP address keep changing.
>> 2) The other peers will be configured with static crypto map with "set
>> peer" of the hub's IP address.
>> 3) Since the address of spokes keep changing, I opt for configuring
>> hostnames on hub for the pre-shared keys.
>> 4) In that case, the spokes should send the identity in hostnames.
>> 5) The hub should send the identity in address.
>>
>> If you want to initiate AM, there are two ways either use isakmp profile
>> with "initiate mode aggressive" or "crypto isakmp peer address" which
>> doesn't need profiles.
>>
>> In AM, the risk is that the identity of the peers are revealed during
>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk
>> but still the hub's address is exposed.
>>
>> The peer initiating the AM, sees the IP address in the crypto map and
>> tries to find a matching pre-shared key, when there is an interesting
>> traffic.If you configure
>> as a hostname, then it can't find a match. Hence on the peer which
>> initiates the AM, you need to configure with IP address. The hub can be
>> configured hostname as it receiver not the initiator.
>>
>>
>> *Spokes config*
>>
>> ip domain-name cisco.com
>> crypto isakmp policy 1
>>  authentication pre-share
>> crypto isakmp key cisco address 10.20.30.42
>>
>> crypto isakmp profile prof
>>
>> ! This profile is incomplete (no match identity statement)
>>    keyring default
>>    self-identity fqdn
>>    initiate mode aggressive
>>
>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>
>> crypto map cisco 1 ipsec-isakmp
>>  set peer 10.20.30.42
>>  set transform-set tran
>>  set isakmp-profile prof
>>  match address 123
>>
>> interface GigabitEthernet0/0
>>  crypto map cisco
>>
>>
>> *Hub's config*
>>
>>
>> crypto isakmp policy 1
>>  authentication pre-share
>> crypto isakmp key cisco hostname router1.cisco.com
>> crypto isakmp identity address
>>
>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>
>> crypto dynamic-map dynmap 1
>>  set transform-set tran
>>
>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>
>> interface GigabitEthernet0/0
>>  crypto map cisco
>>
>> Instead of dynamic crypto map, you can use static crypto map on the hub as
>> following. the logic is still the same.
>>
>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>
>> crypto map cisco 1 ipsec-isakmp
>>  set peer 10.20.30.41
>>  set transform-set tran
>>  match address 123
>>
>> interface GigabitEthernet0/0
>>  crypto map cisco
>>
>>
>>
>> Without ISAKMP profiles, you can initiate AM. Please refer to
>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>
>> With regards
>> Kings
>>
>>
>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote:
>>
>>> I've had this issue before. I made this works in 2 ways
>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>> or
>>> 2 - add a local host entry on the router mapping the hostname XXXX to
>>> 136.1.122.2
>>>
>>> If this is correct, I don't know and never had anyone to explain me why
>>>
>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote:
>>>
>>>> Dear Experts,
>>>>
>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles,
>>>> however I am not able to get why it doesn't work when running the debugs I
>>>> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert
>>>> despite the fact that it exists. I would appreciate any input.
>>>>
>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>
>>>> crypto isakmp profile AGGRESSIVE
>>>> ! This profile is incomplete (no match identity statement)
>>>>    keyring default
>>>>    self-identity fqdn
>>>>    initiate mode aggressive
>>>> !
>>>>
>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>> !
>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>> crypto map R1R2 10 ipsec-isakmp
>>>>  set peer 136.1.122.2
>>>>  set transform-set R1R2
>>>>  match address LO12
>>>>
>>>>
>>>> interface FastEthernet0/0
>>>>  ip address 136.1.121.1 255.255.255.0
>>>>  duplex auto
>>>>  speed auto
>>>>  crypto map R1R2
>>>>
>>>>
>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer
>>>> port 500
>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>> peer_handle = 0x80000010
>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1
>>>> for isakmp_initiator
>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying
>>>> Main mode.
>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not
>>>> start Main mode
>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>> isadb_unlock_peer_delete_sa(), count 0
>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>> 136.1.122.2: 83D50508
>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed
>>>> to initialize SA
>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error
>>>> 2.
>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>>>> message(s)
>>>>
>>>> Thanks
>>>>
>>>> Best Regards
>>>>
>>>> --
>>>> KJ
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>>
>>> --
>>> Bruno Fagioli (by Jaunty Jackalope)
>>> Cisco Security Professional
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>
>
> --
> KJ
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to