Hi Piotr If a peer is initiating AM, can it have the pre-shared key configured with hostname?
With regards Kings On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote: > Gents, > > AM can authenticate peer using either IP, hostname or Certificate > MM can use only IP or Certificate > > Really, don't get what are you looking for. > > Regards, > Piotr > > 2010/10/10 Pieter-Jan Nefkens <[email protected]> > > Hello all, >> >> If i remember correctly, in isakmp main mode, the negotiation of policies, >> such as dh group, encrypion, etc is done before the authentication of the >> peer takes place. >> >> But in agressive mode, all these attributes are sent in one packet, thus >> resulting in less packets, and everything must be just a-ok, as there will >> be no negiotiation on the policies. >> >> So, in main mode, msg 1 contains only the authentication policies, while >> in agressive mode the first message contains all properties and the nonce >> (dh) >> >> Hth >> Pj >> >> Sent from my iPad >> >> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote: >> >> Thanks Boss:)..Let us wait & c >> >> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles >> <<[email protected]> >> [email protected]> wrote: >> >>> True with AM, the pre-shared key is not used with shared secret to >>> generate the encryption key. >>> >>> But how will the peer initiating, AM find a matching pre-shared keys >>> with hostnames. The pre-shared key should be sent as an hash to other peer >>> which also hashes it's pre-shared key and sees if it matches. Irrespective >>> of whether it is AM or MM, this will happen. If you have configured hostname >>> for the pre-shared key, how will IOS find a matching key? >>> >>> Anyway let's wait for others comment too. >>> >>> >>> With regards >>> Kings >>> >>> >>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali < <[email protected]> >>> [email protected]> wrote: >>> >>>> hello Kingsley, >>>> >>>> First I would like to thank you for putting your efforts into this great >>>> informative post. However let me argue that: >>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it >>>> different from MM where PSK must be based on the peer address as the PSK is >>>> used in the DH KE algorithm. Thus I do believe there is no reason for the >>>> initiator to look the peer address/hostname of the remote peer while >>>> initiating. I hope someone can shed more light into this. As per your >>>> statement: >>>> >>>> "The peer initiating the AM, sees the IP address in the crypto map and >>>> tries to find a matching pre-shared key, when there is an interesting >>>> traffic". The question raised is why it can't send based on hostnames. >>>> >>>> In AM as per my understanding the DH KE works in parallel with IKE IDs >>>> and authentication process, i.e. the IDs are exchanged in the clear. While >>>> I >>>> believe it should work this way: >>>> 1)Initiator sends to responder its ISAKMP Policy with its different >>>> parameters & the responder replies having accepted a policy. >>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously. >>>> >>>> Gents will appreciate your support on this:) >>>> >>>> Thanks Kingsley:) >>>> >>>> >>>> >>>> >>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles >>>> <<[email protected]> >>>> [email protected]> wrote: >>>> >>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. >>>>> >>>>> Let me put my understanding: >>>>> >>>>> Aggressive mode can be used where the IP address of a peer keeps >>>>> changing. >>>>> >>>>> 1) One peer will be configured for dynamic crypto map and this is the >>>>> hub or server as the spoke's IP address keep changing. >>>>> 2) The other peers will be configured with static crypto map with "set >>>>> peer" of the hub's IP address. >>>>> 3) Since the address of spokes keep changing, I opt for configuring >>>>> hostnames on hub for the pre-shared keys. >>>>> 4) In that case, the spokes should send the identity in hostnames. >>>>> 5) The hub should send the identity in address. >>>>> >>>>> If you want to initiate AM, there are two ways either use isakmp >>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address" >>>>> which doesn't need profiles. >>>>> >>>>> In AM, the risk is that the identity of the peers are revealed during >>>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk >>>>> but still the hub's address is exposed. >>>>> >>>>> The peer initiating the AM, sees the IP address in the crypto map and >>>>> tries to find a matching pre-shared key, when there is an interesting >>>>> traffic.If you configure >>>>> as a hostname, then it can't find a match. Hence on the peer which >>>>> initiates the AM, you need to configure with IP address. The hub can be >>>>> configured hostname as it receiver not the initiator. >>>>> >>>>> >>>>> *Spokes config* >>>>> >>>>> ip domain-name <http://cisco.com>cisco.com >>>>> crypto isakmp policy 1 >>>>> authentication pre-share >>>>> crypto isakmp key cisco address 10.20.30.42 >>>>> >>>>> crypto isakmp profile prof >>>>> >>>>> ! This profile is incomplete (no match identity statement) >>>>> keyring default >>>>> self-identity fqdn >>>>> initiate mode aggressive >>>>> >>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>> >>>>> crypto map cisco 1 ipsec-isakmp >>>>> set peer 10.20.30.42 >>>>> set transform-set tran >>>>> set isakmp-profile prof >>>>> match address 123 >>>>> >>>>> interface GigabitEthernet0/0 >>>>> crypto map cisco >>>>> >>>>> >>>>> *Hub's config* >>>>> >>>>> >>>>> crypto isakmp policy 1 >>>>> authentication pre-share >>>>> crypto isakmp key cisco hostname <http://router1.cisco.com> >>>>> router1.cisco.com >>>>> crypto isakmp identity address >>>>> >>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>> >>>>> crypto dynamic-map dynmap 1 >>>>> set transform-set tran >>>>> >>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap >>>>> >>>>> interface GigabitEthernet0/0 >>>>> crypto map cisco >>>>> >>>>> Instead of dynamic crypto map, you can use static crypto map on the hub >>>>> as following. the logic is still the same. >>>>> >>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>> >>>>> crypto map cisco 1 ipsec-isakmp >>>>> set peer 10.20.30.41 >>>>> set transform-set tran >>>>> match address 123 >>>>> >>>>> interface GigabitEthernet0/0 >>>>> crypto map cisco >>>>> >>>>> >>>>> >>>>> Without ISAKMP profiles, you can initiate AM. Please refer to >>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml> >>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> >>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]> >>>>> [email protected]> wrote: >>>>> >>>>>> I've had this issue before. I made this works in 2 ways >>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>>>>> or >>>>>> 2 - add a local host entry on the router mapping the hostname XXXX to >>>>>> 136.1.122.2 >>>>>> >>>>>> If this is correct, I don't know and never had anyone to explain me >>>>>> why >>>>>> >>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]> >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Dear Experts, >>>>>>> >>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP >>>>>>> Profiles, however I am not able to get why it doesn't work when running >>>>>>> the >>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK >>>>>>> or >>>>>>> cert despite the fact that it exists. I would appreciate any input. >>>>>>> >>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>>>>> >>>>>>> crypto isakmp profile AGGRESSIVE >>>>>>> ! This profile is incomplete (no match identity statement) >>>>>>> keyring default >>>>>>> self-identity fqdn >>>>>>> initiate mode aggressive >>>>>>> ! >>>>>>> >>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>>>>> ! >>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>>>>> crypto map R1R2 10 ipsec-isakmp >>>>>>> set peer 136.1.122.2 >>>>>>> set transform-set R1R2 >>>>>>> match address LO12 >>>>>>> >>>>>>> >>>>>>> interface FastEthernet0/0 >>>>>>> ip address 136.1.121.1 255.255.255.0 >>>>>>> duplex auto >>>>>>> speed auto >>>>>>> crypto map R1R2 >>>>>>> >>>>>>> >>>>>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>>>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>>>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, >>>>>>> peer port 500 >>>>>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>>>>> peer_handle = 0x80000010 >>>>>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount >>>>>>> 1 for isakmp_initiator >>>>>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>>>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>>>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>>>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying >>>>>>> Main mode. >>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not >>>>>>> start Main mode >>>>>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>>>>> isadb_unlock_peer_delete_sa(), count 0 >>>>>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>>>>> 136.1.122.2: 83D50508 >>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, >>>>>>> delme=83DE56A8 >>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: >>>>>>> Failed to initialize SA >>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, >>>>>>> error 2. >>>>>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >>>>>>> message(s) >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> Best Regards >>>>>>> >>>>>>> -- >>>>>>> KJ >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>>> Cisco Security Professional >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>> >>>>>> >>>>> >>>> >>>> >>>> -- >>>> KJ >>>> >>> >>> >> >> >> -- >> KJ >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit <http://www.ipexpert.com>www.ipexpert.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
