Thanks Boss:)..Let us wait & c On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles < [email protected]> wrote:
> True with AM, the pre-shared key is not used with shared secret to generate > the encryption key. > > But how will the peer initiating, AM find a matching pre-shared keys with > hostnames. The pre-shared key should be sent as an hash to other peer which > also hashes it's pre-shared key and sees if it matches. Irrespective of > whether it is AM or MM, this will happen. If you have configured hostname > for the pre-shared key, how will IOS find a matching key? > > Anyway let's wait for others comment too. > > > With regards > Kings > > > On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <[email protected]>wrote: > >> hello Kingsley, >> >> First I would like to thank you for putting your efforts into this great >> informative post. However let me argue that: >> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it >> different from MM where PSK must be based on the peer address as the PSK is >> used in the DH KE algorithm. Thus I do believe there is no reason for the >> initiator to look the peer address/hostname of the remote peer while >> initiating. I hope someone can shed more light into this. As per your >> statement: >> >> "The peer initiating the AM, sees the IP address in the crypto map and >> tries to find a matching pre-shared key, when there is an interesting >> traffic". The question raised is why it can't send based on hostnames. >> >> In AM as per my understanding the DH KE works in parallel with IKE IDs and >> authentication process, i.e. the IDs are exchanged in the clear. While I >> believe it should work this way: >> 1)Initiator sends to responder its ISAKMP Policy with its different >> parameters & the responder replies having accepted a policy. >> 2)DH KE & IKE IDs exchange for authentication happen simultaneously. >> >> Gents will appreciate your support on this:) >> >> Thanks Kingsley:) >> >> >> >> >> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. >>> >>> Let me put my understanding: >>> >>> Aggressive mode can be used where the IP address of a peer keeps >>> changing. >>> >>> 1) One peer will be configured for dynamic crypto map and this is the hub >>> or server as the spoke's IP address keep changing. >>> 2) The other peers will be configured with static crypto map with "set >>> peer" of the hub's IP address. >>> 3) Since the address of spokes keep changing, I opt for configuring >>> hostnames on hub for the pre-shared keys. >>> 4) In that case, the spokes should send the identity in hostnames. >>> 5) The hub should send the identity in address. >>> >>> If you want to initiate AM, there are two ways either use isakmp profile >>> with "initiate mode aggressive" or "crypto isakmp peer address" which >>> doesn't need profiles. >>> >>> In AM, the risk is that the identity of the peers are revealed during >>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk >>> but still the hub's address is exposed. >>> >>> The peer initiating the AM, sees the IP address in the crypto map and >>> tries to find a matching pre-shared key, when there is an interesting >>> traffic.If you configure >>> as a hostname, then it can't find a match. Hence on the peer which >>> initiates the AM, you need to configure with IP address. The hub can be >>> configured hostname as it receiver not the initiator. >>> >>> >>> *Spokes config* >>> >>> ip domain-name cisco.com >>> crypto isakmp policy 1 >>> authentication pre-share >>> crypto isakmp key cisco address 10.20.30.42 >>> >>> crypto isakmp profile prof >>> >>> ! This profile is incomplete (no match identity statement) >>> keyring default >>> self-identity fqdn >>> initiate mode aggressive >>> >>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>> >>> crypto map cisco 1 ipsec-isakmp >>> set peer 10.20.30.42 >>> set transform-set tran >>> set isakmp-profile prof >>> match address 123 >>> >>> interface GigabitEthernet0/0 >>> crypto map cisco >>> >>> >>> *Hub's config* >>> >>> >>> crypto isakmp policy 1 >>> authentication pre-share >>> crypto isakmp key cisco hostname router1.cisco.com >>> crypto isakmp identity address >>> >>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>> >>> crypto dynamic-map dynmap 1 >>> set transform-set tran >>> >>> crypto map cisco 1 ipsec-isakmp dynamic dynmap >>> >>> interface GigabitEthernet0/0 >>> crypto map cisco >>> >>> Instead of dynamic crypto map, you can use static crypto map on the hub >>> as following. the logic is still the same. >>> >>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>> >>> crypto map cisco 1 ipsec-isakmp >>> set peer 10.20.30.41 >>> set transform-set tran >>> match address 123 >>> >>> interface GigabitEthernet0/0 >>> crypto map cisco >>> >>> >>> >>> Without ISAKMP profiles, you can initiate AM. Please refer to >>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >>> >>> With regards >>> Kings >>> >>> >>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote: >>> >>>> I've had this issue before. I made this works in 2 ways >>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>>> or >>>> 2 - add a local host entry on the router mapping the hostname XXXX to >>>> 136.1.122.2 >>>> >>>> If this is correct, I don't know and never had anyone to explain me why >>>> >>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali >>>> <[email protected]>wrote: >>>> >>>>> Dear Experts, >>>>> >>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP >>>>> Profiles, however I am not able to get why it doesn't work when running >>>>> the >>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK or >>>>> cert despite the fact that it exists. I would appreciate any input. >>>>> >>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>>> >>>>> crypto isakmp profile AGGRESSIVE >>>>> ! This profile is incomplete (no match identity statement) >>>>> keyring default >>>>> self-identity fqdn >>>>> initiate mode aggressive >>>>> ! >>>>> >>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>>> ! >>>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>>> crypto map R1R2 10 ipsec-isakmp >>>>> set peer 136.1.122.2 >>>>> set transform-set R1R2 >>>>> match address LO12 >>>>> >>>>> >>>>> interface FastEthernet0/0 >>>>> ip address 136.1.121.1 255.255.255.0 >>>>> duplex auto >>>>> speed auto >>>>> crypto map R1R2 >>>>> >>>>> >>>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, >>>>> peer port 500 >>>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>>> peer_handle = 0x80000010 >>>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 >>>>> for isakmp_initiator >>>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying >>>>> Main mode. >>>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >>>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not >>>>> start Main mode >>>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>>> isadb_unlock_peer_delete_sa(), count 0 >>>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>>> 136.1.122.2: 83D50508 >>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, >>>>> delme=83DE56A8 >>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed >>>>> to initialize SA >>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, >>>>> error 2. >>>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >>>>> message(s) >>>>> >>>>> Thanks >>>>> >>>>> Best Regards >>>>> >>>>> -- >>>>> KJ >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> >>>> -- >>>> Bruno Fagioli (by Jaunty Jackalope) >>>> Cisco Security Professional >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >> >> -- >> KJ >> > > -- KJ
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
