True with AM, the pre-shared key is not used with shared secret to generate the encryption key.
But how will the peer initiating, AM find a matching pre-shared keys with hostnames. The pre-shared key should be sent as an hash to other peer which also hashes it's pre-shared key and sees if it matches. Irrespective of whether it is AM or MM, this will happen. If you have configured hostname for the pre-shared key, how will IOS find a matching key? Anyway let's wait for others comment too. With regards Kings On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <[email protected]>wrote: > hello Kingsley, > > First I would like to thank you for putting your efforts into this great > informative post. However let me argue that: > 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it > different from MM where PSK must be based on the peer address as the PSK is > used in the DH KE algorithm. Thus I do believe there is no reason for the > initiator to look the peer address/hostname of the remote peer while > initiating. I hope someone can shed more light into this. As per your > statement: > > "The peer initiating the AM, sees the IP address in the crypto map and > tries to find a matching pre-shared key, when there is an interesting > traffic". The question raised is why it can't send based on hostnames. > > In AM as per my understanding the DH KE works in parallel with IKE IDs and > authentication process, i.e. the IDs are exchanged in the clear. While I > believe it should work this way: > 1)Initiator sends to responder its ISAKMP Policy with its different > parameters & the responder replies having accepted a policy. > 2)DH KE & IKE IDs exchange for authentication happen simultaneously. > > Gents will appreciate your support on this:) > > Thanks Kingsley:) > > > > > On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles < > [email protected]> wrote: > >> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. >> >> Let me put my understanding: >> >> Aggressive mode can be used where the IP address of a peer keeps changing. >> >> >> 1) One peer will be configured for dynamic crypto map and this is the hub >> or server as the spoke's IP address keep changing. >> 2) The other peers will be configured with static crypto map with "set >> peer" of the hub's IP address. >> 3) Since the address of spokes keep changing, I opt for configuring >> hostnames on hub for the pre-shared keys. >> 4) In that case, the spokes should send the identity in hostnames. >> 5) The hub should send the identity in address. >> >> If you want to initiate AM, there are two ways either use isakmp profile >> with "initiate mode aggressive" or "crypto isakmp peer address" which >> doesn't need profiles. >> >> In AM, the risk is that the identity of the peers are revealed during >> ISAKMP phase 1. Since, the spoke's address changes there is not much risk >> but still the hub's address is exposed. >> >> The peer initiating the AM, sees the IP address in the crypto map and >> tries to find a matching pre-shared key, when there is an interesting >> traffic.If you configure >> as a hostname, then it can't find a match. Hence on the peer which >> initiates the AM, you need to configure with IP address. The hub can be >> configured hostname as it receiver not the initiator. >> >> >> *Spokes config* >> >> ip domain-name cisco.com >> crypto isakmp policy 1 >> authentication pre-share >> crypto isakmp key cisco address 10.20.30.42 >> >> crypto isakmp profile prof >> >> ! This profile is incomplete (no match identity statement) >> keyring default >> self-identity fqdn >> initiate mode aggressive >> >> crypto ipsec transform-set tran esp-3des esp-sha-hmac >> >> crypto map cisco 1 ipsec-isakmp >> set peer 10.20.30.42 >> set transform-set tran >> set isakmp-profile prof >> match address 123 >> >> interface GigabitEthernet0/0 >> crypto map cisco >> >> >> *Hub's config* >> >> >> crypto isakmp policy 1 >> authentication pre-share >> crypto isakmp key cisco hostname router1.cisco.com >> crypto isakmp identity address >> >> crypto ipsec transform-set tran esp-3des esp-sha-hmac >> >> crypto dynamic-map dynmap 1 >> set transform-set tran >> >> crypto map cisco 1 ipsec-isakmp dynamic dynmap >> >> interface GigabitEthernet0/0 >> crypto map cisco >> >> Instead of dynamic crypto map, you can use static crypto map on the hub as >> following. the logic is still the same. >> >> crypto ipsec transform-set tran esp-3des esp-sha-hmac >> >> crypto map cisco 1 ipsec-isakmp >> set peer 10.20.30.41 >> set transform-set tran >> match address 123 >> >> interface GigabitEthernet0/0 >> crypto map cisco >> >> >> >> Without ISAKMP profiles, you can initiate AM. Please refer to >> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >> >> With regards >> Kings >> >> >> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote: >> >>> I've had this issue before. I made this works in 2 ways >>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>> or >>> 2 - add a local host entry on the router mapping the hostname XXXX to >>> 136.1.122.2 >>> >>> If this is correct, I don't know and never had anyone to explain me why >>> >>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote: >>> >>>> Dear Experts, >>>> >>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles, >>>> however I am not able to get why it doesn't work when running the debugs I >>>> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert >>>> despite the fact that it exists. I would appreciate any input. >>>> >>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>> >>>> crypto isakmp profile AGGRESSIVE >>>> ! This profile is incomplete (no match identity statement) >>>> keyring default >>>> self-identity fqdn >>>> initiate mode aggressive >>>> ! >>>> >>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>> ! >>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>> crypto map R1R2 10 ipsec-isakmp >>>> set peer 136.1.122.2 >>>> set transform-set R1R2 >>>> match address LO12 >>>> >>>> >>>> interface FastEthernet0/0 >>>> ip address 136.1.121.1 255.255.255.0 >>>> duplex auto >>>> speed auto >>>> crypto map R1R2 >>>> >>>> >>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer >>>> port 500 >>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>> peer_handle = 0x80000010 >>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 >>>> for isakmp_initiator >>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying >>>> Main mode. >>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not >>>> start Main mode >>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>> isadb_unlock_peer_delete_sa(), count 0 >>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>> 136.1.122.2: 83D50508 >>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8 >>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed >>>> to initialize SA >>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error >>>> 2. >>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >>>> message(s) >>>> >>>> Thanks >>>> >>>> Best Regards >>>> >>>> -- >>>> KJ >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > > -- > KJ >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
