Thanks Boss:)..Let us wait & c

On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles <
[email protected]> wrote:

> True with AM, the pre-shared key is not used with shared secret to generate
> the encryption key.
>
> But how will the peer initiating,  AM find a matching pre-shared keys with
> hostnames. The pre-shared key should be sent as an hash to other peer which
> also hashes it's pre-shared key and sees if it matches. Irrespective of
> whether it is AM or MM, this will happen. If you have configured hostname
> for the pre-shared key, how will IOS find a matching key?
>
> Anyway let's wait for others comment too.
>
>
> With regards
> Kings
>
>
> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <[email protected]>wrote:
>
>> hello Kingsley,
>>
>> First I would like to thank you for putting your efforts into this great
>> informative post. However let me argue that:
>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
>> different from MM where PSK must be based on the peer address as the PSK is
>> used in the DH KE algorithm. Thus I do believe there is no reason for the
>> initiator to look the peer address/hostname of the remote peer while
>> initiating. I hope someone can shed more light into this. As per your
>> statement:
>>
>> "The peer initiating the AM, sees the IP address in the crypto map and
>> tries to find a matching pre-shared key, when there is an interesting
>> traffic". The question raised is why it can't send based on hostnames.
>>
>> In AM as per my understanding the DH KE works in parallel with IKE IDs and
>> authentication process, i.e. the IDs are exchanged in the clear. While I
>> believe it should work this way:
>> 1)Initiator sends to responder its ISAKMP Policy with its different
>> parameters & the responder replies having accepted a policy.
>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>>
>> Gents will appreciate your support on this:)
>>
>> Thanks Kingsley:)
>>
>>
>>
>>
>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles <
>> [email protected]> wrote:
>>
>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>>>
>>> Let me put my understanding:
>>>
>>> Aggressive mode can be used where the IP address of a peer keeps
>>> changing.
>>>
>>> 1) One peer will be configured for dynamic crypto map and this is the hub
>>> or server as the spoke's IP address keep changing.
>>> 2) The other peers will be configured with static crypto map with "set
>>> peer" of the hub's IP address.
>>> 3) Since the address of spokes keep changing, I opt for configuring
>>> hostnames on hub for the pre-shared keys.
>>> 4) In that case, the spokes should send the identity in hostnames.
>>> 5) The hub should send the identity in address.
>>>
>>> If you want to initiate AM, there are two ways either use isakmp profile
>>> with "initiate mode aggressive" or "crypto isakmp peer address" which
>>> doesn't need profiles.
>>>
>>> In AM, the risk is that the identity of the peers are revealed during
>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk
>>> but still the hub's address is exposed.
>>>
>>> The peer initiating the AM, sees the IP address in the crypto map and
>>> tries to find a matching pre-shared key, when there is an interesting
>>> traffic.If you configure
>>> as a hostname, then it can't find a match. Hence on the peer which
>>> initiates the AM, you need to configure with IP address. The hub can be
>>> configured hostname as it receiver not the initiator.
>>>
>>>
>>> *Spokes config*
>>>
>>> ip domain-name cisco.com
>>> crypto isakmp policy 1
>>>  authentication pre-share
>>> crypto isakmp key cisco address 10.20.30.42
>>>
>>> crypto isakmp profile prof
>>>
>>> ! This profile is incomplete (no match identity statement)
>>>    keyring default
>>>    self-identity fqdn
>>>    initiate mode aggressive
>>>
>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>
>>> crypto map cisco 1 ipsec-isakmp
>>>  set peer 10.20.30.42
>>>  set transform-set tran
>>>  set isakmp-profile prof
>>>  match address 123
>>>
>>> interface GigabitEthernet0/0
>>>  crypto map cisco
>>>
>>>
>>> *Hub's config*
>>>
>>>
>>> crypto isakmp policy 1
>>>  authentication pre-share
>>> crypto isakmp key cisco hostname router1.cisco.com
>>> crypto isakmp identity address
>>>
>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>
>>> crypto dynamic-map dynmap 1
>>>  set transform-set tran
>>>
>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>>
>>> interface GigabitEthernet0/0
>>>  crypto map cisco
>>>
>>> Instead of dynamic crypto map, you can use static crypto map on the hub
>>> as following. the logic is still the same.
>>>
>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>
>>> crypto map cisco 1 ipsec-isakmp
>>>  set peer 10.20.30.41
>>>  set transform-set tran
>>>  match address 123
>>>
>>> interface GigabitEthernet0/0
>>>  crypto map cisco
>>>
>>>
>>>
>>> Without ISAKMP profiles, you can initiate AM. Please refer to
>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>>
>>> With regards
>>> Kings
>>>
>>>
>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote:
>>>
>>>> I've had this issue before. I made this works in 2 ways
>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>>> or
>>>> 2 - add a local host entry on the router mapping the hostname XXXX to
>>>> 136.1.122.2
>>>>
>>>> If this is correct, I don't know and never had anyone to explain me why
>>>>
>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali 
>>>> <[email protected]>wrote:
>>>>
>>>>> Dear Experts,
>>>>>
>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP
>>>>> Profiles, however I am not able to get why it doesn't work when running 
>>>>> the
>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK or
>>>>> cert despite the fact that it exists. I would appreciate any input.
>>>>>
>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>>
>>>>> crypto isakmp profile AGGRESSIVE
>>>>> ! This profile is incomplete (no match identity statement)
>>>>>    keyring default
>>>>>    self-identity fqdn
>>>>>    initiate mode aggressive
>>>>> !
>>>>>
>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>>> !
>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>>> crypto map R1R2 10 ipsec-isakmp
>>>>>  set peer 136.1.122.2
>>>>>  set transform-set R1R2
>>>>>  match address LO12
>>>>>
>>>>>
>>>>> interface FastEthernet0/0
>>>>>  ip address 136.1.121.1 255.255.255.0
>>>>>  duplex auto
>>>>>  speed auto
>>>>>  crypto map R1R2
>>>>>
>>>>>
>>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2,
>>>>> peer port 500
>>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>>> peer_handle = 0x80000010
>>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1
>>>>> for isakmp_initiator
>>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying
>>>>> Main mode.
>>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not
>>>>> start Main mode
>>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>>> isadb_unlock_peer_delete_sa(), count 0
>>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>>> 136.1.122.2: 83D50508
>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8,
>>>>> delme=83DE56A8
>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed
>>>>> to initialize SA
>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0,
>>>>> error 2.
>>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>>>>> message(s)
>>>>>
>>>>> Thanks
>>>>>
>>>>> Best Regards
>>>>>
>>>>> --
>>>>> KJ
>>>>>
>>>>> _______________________________________________
>>>>> For more information regarding industry leading CCIE Lab training,
>>>>> please visit www.ipexpert.com
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>> Cisco Security Professional
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>
>>
>> --
>> KJ
>>
>
>


-- 
KJ
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to