Hi Piotr

If a peer is initiating AM, can it have the pre-shared key configured with
hostname?


With regards
Kings

On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote:

> Gents,
>
> AM can authenticate peer using either IP, hostname or Certificate
> MM can use only IP or Certificate
>
> Really, don't get what are you looking for.
>
> Regards,
> Piotr
>
> 2010/10/10 Pieter-Jan Nefkens <[email protected]>
>
> Hello all,
>>
>> If i remember correctly, in isakmp main mode, the negotiation of policies,
>> such as dh group, encrypion, etc is done before the authentication of the
>> peer takes place.
>>
>> But in agressive mode, all these attributes are sent in one packet, thus
>> resulting in less packets, and everything must be just a-ok, as there will
>> be no negiotiation on the policies.
>>
>> So, in main mode, msg 1 contains only the authentication policies, while
>> in agressive mode the first message contains all properties and the nonce
>> (dh)
>>
>> Hth
>> Pj
>>
>> Sent from my iPad
>>
>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote:
>>
>> Thanks Boss:)..Let us wait & c
>>
>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles 
>> <<[email protected]>
>> [email protected]> wrote:
>>
>>> True with AM, the pre-shared key is not used with shared secret to
>>> generate the encryption key.
>>>
>>> But how will the peer initiating,  AM find a matching pre-shared keys
>>> with hostnames. The pre-shared key should be sent as an hash to other peer
>>> which also hashes it's pre-shared key and sees if it matches. Irrespective
>>> of whether it is AM or MM, this will happen. If you have configured hostname
>>> for the pre-shared key, how will IOS find a matching key?
>>>
>>> Anyway let's wait for others comment too.
>>>
>>>
>>> With regards
>>> Kings
>>>
>>>
>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali < <[email protected]>
>>> [email protected]> wrote:
>>>
>>>> hello Kingsley,
>>>>
>>>> First I would like to thank you for putting your efforts into this great
>>>> informative post. However let me argue that:
>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
>>>> different from MM where PSK must be based on the peer address as the PSK is
>>>> used in the DH KE algorithm. Thus I do believe there is no reason for the
>>>> initiator to look the peer address/hostname of the remote peer while
>>>> initiating. I hope someone can shed more light into this. As per your
>>>> statement:
>>>>
>>>> "The peer initiating the AM, sees the IP address in the crypto map and
>>>> tries to find a matching pre-shared key, when there is an interesting
>>>> traffic". The question raised is why it can't send based on hostnames.
>>>>
>>>> In AM as per my understanding the DH KE works in parallel with IKE IDs
>>>> and authentication process, i.e. the IDs are exchanged in the clear. While 
>>>> I
>>>> believe it should work this way:
>>>> 1)Initiator sends to responder its ISAKMP Policy with its different
>>>> parameters & the responder replies having accepted a policy.
>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>>>>
>>>> Gents will appreciate your support on this:)
>>>>
>>>> Thanks Kingsley:)
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles 
>>>> <<[email protected]>
>>>> [email protected]> wrote:
>>>>
>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>>>>>
>>>>> Let me put my understanding:
>>>>>
>>>>> Aggressive mode can be used where the IP address of a peer keeps
>>>>> changing.
>>>>>
>>>>> 1) One peer will be configured for dynamic crypto map and this is the
>>>>> hub or server as the spoke's IP address keep changing.
>>>>> 2) The other peers will be configured with static crypto map with "set
>>>>> peer" of the hub's IP address.
>>>>> 3) Since the address of spokes keep changing, I opt for configuring
>>>>> hostnames on hub for the pre-shared keys.
>>>>> 4) In that case, the spokes should send the identity in hostnames.
>>>>> 5) The hub should send the identity in address.
>>>>>
>>>>> If you want to initiate AM, there are two ways either use isakmp
>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address"
>>>>> which doesn't need profiles.
>>>>>
>>>>> In AM, the risk is that the identity of the peers are revealed during
>>>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk
>>>>> but still the hub's address is exposed.
>>>>>
>>>>> The peer initiating the AM, sees the IP address in the crypto map and
>>>>> tries to find a matching pre-shared key, when there is an interesting
>>>>> traffic.If you configure
>>>>> as a hostname, then it can't find a match. Hence on the peer which
>>>>> initiates the AM, you need to configure with IP address. The hub can be
>>>>> configured hostname as it receiver not the initiator.
>>>>>
>>>>>
>>>>> *Spokes config*
>>>>>
>>>>> ip domain-name <http://cisco.com>cisco.com
>>>>> crypto isakmp policy 1
>>>>>  authentication pre-share
>>>>> crypto isakmp key cisco address 10.20.30.42
>>>>>
>>>>> crypto isakmp profile prof
>>>>>
>>>>> ! This profile is incomplete (no match identity statement)
>>>>>    keyring default
>>>>>    self-identity fqdn
>>>>>    initiate mode aggressive
>>>>>
>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>
>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>  set peer 10.20.30.42
>>>>>  set transform-set tran
>>>>>  set isakmp-profile prof
>>>>>  match address 123
>>>>>
>>>>> interface GigabitEthernet0/0
>>>>>  crypto map cisco
>>>>>
>>>>>
>>>>> *Hub's config*
>>>>>
>>>>>
>>>>> crypto isakmp policy 1
>>>>>  authentication pre-share
>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com>
>>>>> router1.cisco.com
>>>>> crypto isakmp identity address
>>>>>
>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>
>>>>> crypto dynamic-map dynmap 1
>>>>>  set transform-set tran
>>>>>
>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>>>>
>>>>> interface GigabitEthernet0/0
>>>>>  crypto map cisco
>>>>>
>>>>> Instead of dynamic crypto map, you can use static crypto map on the hub
>>>>> as following. the logic is still the same.
>>>>>
>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>
>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>  set peer 10.20.30.41
>>>>>  set transform-set tran
>>>>>  match address 123
>>>>>
>>>>> interface GigabitEthernet0/0
>>>>>  crypto map cisco
>>>>>
>>>>>
>>>>>
>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to
>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml>
>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>>>>
>>>>> With regards
>>>>> Kings
>>>>>
>>>>>
>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]>
>>>>> [email protected]> wrote:
>>>>>
>>>>>> I've had this issue before. I made this works in 2 ways
>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>>>>> or
>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX to
>>>>>> 136.1.122.2
>>>>>>
>>>>>> If this is correct, I don't know and never had anyone to explain me
>>>>>> why
>>>>>>
>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]>
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Dear Experts,
>>>>>>>
>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP
>>>>>>> Profiles, however I am not able to get why it doesn't work when running 
>>>>>>> the
>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK 
>>>>>>> or
>>>>>>> cert despite the fact that it exists. I would appreciate any input.
>>>>>>>
>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>>>>
>>>>>>> crypto isakmp profile AGGRESSIVE
>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>    keyring default
>>>>>>>    self-identity fqdn
>>>>>>>    initiate mode aggressive
>>>>>>> !
>>>>>>>
>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>>>>> !
>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>>>>> crypto map R1R2 10 ipsec-isakmp
>>>>>>>  set peer 136.1.122.2
>>>>>>>  set transform-set R1R2
>>>>>>>  match address LO12
>>>>>>>
>>>>>>>
>>>>>>> interface FastEthernet0/0
>>>>>>>  ip address 136.1.121.1 255.255.255.0
>>>>>>>  duplex auto
>>>>>>>  speed auto
>>>>>>>  crypto map R1R2
>>>>>>>
>>>>>>>
>>>>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2,
>>>>>>> peer port 500
>>>>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>>>>> peer_handle = 0x80000010
>>>>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount
>>>>>>> 1 for isakmp_initiator
>>>>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying
>>>>>>> Main mode.
>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not
>>>>>>> start Main mode
>>>>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>>>>> isadb_unlock_peer_delete_sa(), count 0
>>>>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>>>>> 136.1.122.2: 83D50508
>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8,
>>>>>>> delme=83DE56A8
>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request:
>>>>>>> Failed to initialize SA
>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0,
>>>>>>> error 2.
>>>>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>>>>>>> message(s)
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Best Regards
>>>>>>>
>>>>>>> --
>>>>>>> KJ
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>>> Cisco Security Professional
>>>>>>
>>>>>> _______________________________________________
>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> KJ
>>>>
>>>
>>>
>>
>>
>> --
>> KJ
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit <http://www.ipexpert.com>www.ipexpert.com
>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to