Hello all, 

If i remember correctly, in isakmp main mode, the negotiation of policies, such 
as dh group, encrypion, etc is done before the authentication of the peer takes 
place.

But in agressive mode, all these attributes are sent in one packet, thus 
resulting in less packets, and everything must be just a-ok, as there will be 
no negiotiation on the policies.

So, in main mode, msg 1 contains only the authentication policies, while in 
agressive mode the first message contains all properties and the nonce (dh)

Hth
Pj

Sent from my iPad

On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote:

> Thanks Boss:)..Let us wait & c
> 
> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles 
> <[email protected]> wrote:
> True with AM, the pre-shared key is not used with shared secret to generate 
> the encryption key. 
> 
> But how will the peer initiating,  AM find a matching pre-shared keys with 
> hostnames. The pre-shared key should be sent as an hash to other peer which 
> also hashes it's pre-shared key and sees if it matches. Irrespective of 
> whether it is AM or MM, this will happen. If you have configured hostname for 
> the pre-shared key, how will IOS find a matching key?
> 
> Anyway let's wait for others comment too.
> 
> 
> With regards
> Kings
> 
> 
> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <[email protected]> wrote:
> hello Kingsley,
> 
> First I would like to thank you for putting your efforts into this great 
> informative post. However let me argue that:
> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it 
> different from MM where PSK must be based on the peer address as the PSK is 
> used in the DH KE algorithm. Thus I do believe there is no reason for the 
> initiator to look the peer address/hostname of the remote peer while 
> initiating. I hope someone can shed more light into this. As per your 
> statement:
> 
> "The peer initiating the AM, sees the IP address in the crypto map and tries 
> to find a matching pre-shared key, when there is an interesting traffic". The 
> question raised is why it can't send based on hostnames.
> 
> In AM as per my understanding the DH KE works in parallel with IKE IDs and 
> authentication process, i.e. the IDs are exchanged in the clear. While I 
> believe it should work this way:
> 1)Initiator sends to responder its ISAKMP Policy with its different 
> parameters & the responder replies having accepted a policy. 
> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
> 
> Gents will appreciate your support on this:)
> 
> Thanks Kingsley:)
> 
> 
> 
> 
> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles 
> <[email protected]> wrote:
> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. 
> 
> Let me put my understanding:
> 
> Aggressive mode can be used where the IP address of a peer keeps changing. 
> 
> 1) One peer will be configured for dynamic crypto map and this is the hub or 
> server as the spoke's IP address keep changing.
> 2) The other peers will be configured with static crypto map with "set peer" 
> of the hub's IP address.
> 3) Since the address of spokes keep changing, I opt for configuring hostnames 
> on hub for the pre-shared keys.
> 4) In that case, the spokes should send the identity in hostnames.
> 5) The hub should send the identity in address.
> 
> If you want to initiate AM, there are two ways either use isakmp profile with 
> "initiate mode aggressive" or "crypto isakmp peer address" which doesn't need 
> profiles.
> 
> In AM, the risk is that the identity of the peers are revealed during ISAKMP 
> phase 1. Since, the spoke's address changes there is not much risk but still 
> the hub's address is exposed. 
> 
> The peer initiating the AM, sees the IP address in the crypto map and tries 
> to find a matching pre-shared key, when there is an interesting traffic.If 
> you configure 
> as a hostname, then it can't find a match. Hence on the peer which initiates 
> the AM, you need to configure with IP address. The hub can be configured 
> hostname as it receiver not the initiator. 
> 
> 
> Spokes config
> 
> ip domain-name cisco.com
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco address 10.20.30.42
> 
> crypto isakmp profile prof
> 
> ! This profile is incomplete (no match identity statement)
>    keyring default
>    self-identity fqdn
>    initiate mode aggressive
> 
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
> 
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.20.30.42
>  set transform-set tran
>  set isakmp-profile prof
>  match address 123
> 
> interface GigabitEthernet0/0
>  crypto map cisco
> 
> 
> Hub's config
> 
> 
> crypto isakmp policy 1
>  authentication pre-share
> crypto isakmp key cisco hostname router1.cisco.com
> crypto isakmp identity address
> 
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
> 
> crypto dynamic-map dynmap 1
>  set transform-set tran
> 
> crypto map cisco 1 ipsec-isakmp dynamic dynmap
> 
> interface GigabitEthernet0/0
>  crypto map cisco
> 
> Instead of dynamic crypto map, you can use static crypto map on the hub as 
> following. the logic is still the same.
> 
> crypto ipsec transform-set tran esp-3des esp-sha-hmac
> 
> crypto map cisco 1 ipsec-isakmp
>  set peer 10.20.30.41
>  set transform-set tran
>  match address 123
> 
> interface GigabitEthernet0/0
>  crypto map cisco
> 
> 
> 
> Without ISAKMP profiles, you can initiate AM. Please refer to 
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
> 
> With regards
> Kings
> 
> 
> On Fri, Oct 8, 2010 at 8:59 PM, Bruno <[email protected]> wrote:
> I've had this issue before. I made this works in 2 ways
> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
> or
> 2 - add a local host entry on the router mapping the hostname XXXX to 
> 136.1.122.2
> 
> If this is correct, I don't know and never had anyone to explain me why
> 
> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]> wrote:
> Dear Experts,
> 
> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles, 
> however I am not able to get why it doesn't work when running the debugs I 
> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert despite 
> the fact that it exists. I would appreciate any input.
> 
> crypto isakmp key CISCO hostname XXXX
> 
> crypto isakmp profile AGGRESSIVE
> ! This profile is incomplete (no match identity statement)
>    keyring default
>    self-identity fqdn
>    initiate mode aggressive
> !
> 
> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac 
> !
> crypto map R1R2 isakmp-profile AGGRESSIVE
> crypto map R1R2 10 ipsec-isakmp 
>  set peer 136.1.122.2
>  set transform-set R1R2 
>  match address LO12
> 
> 
> interface FastEthernet0/0
>  ip address 136.1.121.1 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map R1R2
> 
> 
>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer port 
> 500
> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 peer_handle = 
> 0x80000010
> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 for 
> isakmp_initiator
> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE      
> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main 
> mode.
> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. 
> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start 
> Main mode
> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for 
> isadb_unlock_peer_delete_sa(), count 0
> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for 136.1.122.2: 
> 83D50508
> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to 
> initialize SA
> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error 2.
> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI 
> message(s)
> 
> Thanks
> 
> Best Regards
> 
> -- 
> KJ
> 
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com
> 
> 
> 
> 
> -- 
> Bruno Fagioli (by Jaunty Jackalope)
> Cisco Security Professional
> 
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com
> 
> 
> 
> 
> 
> -- 
> KJ
> 
> 
> 
> 
> -- 
> KJ
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please 
> visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to