Gents, AM can authenticate peer using either IP, hostname or Certificate MM can use only IP or Certificate
Really, don't get what are you looking for. Regards, Piotr 2010/10/10 Pieter-Jan Nefkens <[email protected]> > Hello all, > > If i remember correctly, in isakmp main mode, the negotiation of policies, > such as dh group, encrypion, etc is done before the authentication of the > peer takes place. > > But in agressive mode, all these attributes are sent in one packet, thus > resulting in less packets, and everything must be just a-ok, as there will > be no negiotiation on the policies. > > So, in main mode, msg 1 contains only the authentication policies, while in > agressive mode the first message contains all properties and the nonce (dh) > > Hth > Pj > > Sent from my iPad > > On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote: > > Thanks Boss:)..Let us wait & c > > On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles > <<[email protected]> > [email protected]> wrote: > >> True with AM, the pre-shared key is not used with shared secret to >> generate the encryption key. >> >> But how will the peer initiating, AM find a matching pre-shared keys with >> hostnames. The pre-shared key should be sent as an hash to other peer which >> also hashes it's pre-shared key and sees if it matches. Irrespective of >> whether it is AM or MM, this will happen. If you have configured hostname >> for the pre-shared key, how will IOS find a matching key? >> >> Anyway let's wait for others comment too. >> >> >> With regards >> Kings >> >> >> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali < <[email protected]> >> [email protected]> wrote: >> >>> hello Kingsley, >>> >>> First I would like to thank you for putting your efforts into this great >>> informative post. However let me argue that: >>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it >>> different from MM where PSK must be based on the peer address as the PSK is >>> used in the DH KE algorithm. Thus I do believe there is no reason for the >>> initiator to look the peer address/hostname of the remote peer while >>> initiating. I hope someone can shed more light into this. As per your >>> statement: >>> >>> "The peer initiating the AM, sees the IP address in the crypto map and >>> tries to find a matching pre-shared key, when there is an interesting >>> traffic". The question raised is why it can't send based on hostnames. >>> >>> In AM as per my understanding the DH KE works in parallel with IKE IDs >>> and authentication process, i.e. the IDs are exchanged in the clear. While I >>> believe it should work this way: >>> 1)Initiator sends to responder its ISAKMP Policy with its different >>> parameters & the responder replies having accepted a policy. >>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously. >>> >>> Gents will appreciate your support on this:) >>> >>> Thanks Kingsley:) >>> >>> >>> >>> >>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles >>> <<[email protected]> >>> [email protected]> wrote: >>> >>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. >>>> >>>> Let me put my understanding: >>>> >>>> Aggressive mode can be used where the IP address of a peer keeps >>>> changing. >>>> >>>> 1) One peer will be configured for dynamic crypto map and this is the >>>> hub or server as the spoke's IP address keep changing. >>>> 2) The other peers will be configured with static crypto map with "set >>>> peer" of the hub's IP address. >>>> 3) Since the address of spokes keep changing, I opt for configuring >>>> hostnames on hub for the pre-shared keys. >>>> 4) In that case, the spokes should send the identity in hostnames. >>>> 5) The hub should send the identity in address. >>>> >>>> If you want to initiate AM, there are two ways either use isakmp profile >>>> with "initiate mode aggressive" or "crypto isakmp peer address" which >>>> doesn't need profiles. >>>> >>>> In AM, the risk is that the identity of the peers are revealed during >>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk >>>> but still the hub's address is exposed. >>>> >>>> The peer initiating the AM, sees the IP address in the crypto map and >>>> tries to find a matching pre-shared key, when there is an interesting >>>> traffic.If you configure >>>> as a hostname, then it can't find a match. Hence on the peer which >>>> initiates the AM, you need to configure with IP address. The hub can be >>>> configured hostname as it receiver not the initiator. >>>> >>>> >>>> *Spokes config* >>>> >>>> ip domain-name <http://cisco.com>cisco.com >>>> crypto isakmp policy 1 >>>> authentication pre-share >>>> crypto isakmp key cisco address 10.20.30.42 >>>> >>>> crypto isakmp profile prof >>>> >>>> ! This profile is incomplete (no match identity statement) >>>> keyring default >>>> self-identity fqdn >>>> initiate mode aggressive >>>> >>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>> >>>> crypto map cisco 1 ipsec-isakmp >>>> set peer 10.20.30.42 >>>> set transform-set tran >>>> set isakmp-profile prof >>>> match address 123 >>>> >>>> interface GigabitEthernet0/0 >>>> crypto map cisco >>>> >>>> >>>> *Hub's config* >>>> >>>> >>>> crypto isakmp policy 1 >>>> authentication pre-share >>>> crypto isakmp key cisco hostname <http://router1.cisco.com> >>>> router1.cisco.com >>>> crypto isakmp identity address >>>> >>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>> >>>> crypto dynamic-map dynmap 1 >>>> set transform-set tran >>>> >>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap >>>> >>>> interface GigabitEthernet0/0 >>>> crypto map cisco >>>> >>>> Instead of dynamic crypto map, you can use static crypto map on the hub >>>> as following. the logic is still the same. >>>> >>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>> >>>> crypto map cisco 1 ipsec-isakmp >>>> set peer 10.20.30.41 >>>> set transform-set tran >>>> match address 123 >>>> >>>> interface GigabitEthernet0/0 >>>> crypto map cisco >>>> >>>> >>>> >>>> Without ISAKMP profiles, you can initiate AM. Please refer to >>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml> >>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]> >>>> [email protected]> wrote: >>>> >>>>> I've had this issue before. I made this works in 2 ways >>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>>>> or >>>>> 2 - add a local host entry on the router mapping the hostname XXXX to >>>>> 136.1.122.2 >>>>> >>>>> If this is correct, I don't know and never had anyone to explain me why >>>>> >>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]> >>>>> [email protected]> wrote: >>>>> >>>>>> Dear Experts, >>>>>> >>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP >>>>>> Profiles, however I am not able to get why it doesn't work when running >>>>>> the >>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK or >>>>>> cert despite the fact that it exists. I would appreciate any input. >>>>>> >>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>>>> >>>>>> crypto isakmp profile AGGRESSIVE >>>>>> ! This profile is incomplete (no match identity statement) >>>>>> keyring default >>>>>> self-identity fqdn >>>>>> initiate mode aggressive >>>>>> ! >>>>>> >>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>>>> ! >>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>>>> crypto map R1R2 10 ipsec-isakmp >>>>>> set peer 136.1.122.2 >>>>>> set transform-set R1R2 >>>>>> match address LO12 >>>>>> >>>>>> >>>>>> interface FastEthernet0/0 >>>>>> ip address 136.1.121.1 255.255.255.0 >>>>>> duplex auto >>>>>> speed auto >>>>>> crypto map R1R2 >>>>>> >>>>>> >>>>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, >>>>>> peer port 500 >>>>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>>>> peer_handle = 0x80000010 >>>>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount >>>>>> 1 for isakmp_initiator >>>>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying >>>>>> Main mode. >>>>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >>>>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not >>>>>> start Main mode >>>>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>>>> isadb_unlock_peer_delete_sa(), count 0 >>>>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>>>> 136.1.122.2: 83D50508 >>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, >>>>>> delme=83DE56A8 >>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed >>>>>> to initialize SA >>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, >>>>>> error 2. >>>>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >>>>>> message(s) >>>>>> >>>>>> Thanks >>>>>> >>>>>> Best Regards >>>>>> >>>>>> -- >>>>>> KJ >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>> Cisco Security Professional >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>> >>>>> >>>> >>> >>> >>> -- >>> KJ >>> >> >> > > > -- > KJ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit <http://www.ipexpert.com>www.ipexpert.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
