Yes. Something like this (simple topology like R1 ---- R2) Config on R1 should look like:
ip host R2.cisco.com <http://r2.cisco.com/> 10.1.12.2 ! crypto keyring KEYS pre-shared-key hostname R2.cisco.com <http://r2.cisco.com/> key cisco123 ! crypto isakmp profile IKE keyring KEYS self-identity fqdn match identity host R2.cisco.com <http://r2.cisco.com/> initiate mode aggressive ! crypto ipsec profile IPSEC set isakmp-profile IKE set trans TS plus some obvious things like SVTI and crypto policy and transform set. cheers! Piotr 2010/10/10 Kingsley Charles <[email protected]> > Hi Piotr > > If a peer is initiating AM, can it have the pre-shared key configured with > hostname? > > > With regards > Kings > > > On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote: > >> Gents, >> >> AM can authenticate peer using either IP, hostname or Certificate >> MM can use only IP or Certificate >> >> Really, don't get what are you looking for. >> >> Regards, >> Piotr >> >> 2010/10/10 Pieter-Jan Nefkens <[email protected]> >> >> Hello all, >>> >>> If i remember correctly, in isakmp main mode, the negotiation of >>> policies, such as dh group, encrypion, etc is done before the authentication >>> of the peer takes place. >>> >>> But in agressive mode, all these attributes are sent in one packet, thus >>> resulting in less packets, and everything must be just a-ok, as there will >>> be no negiotiation on the policies. >>> >>> So, in main mode, msg 1 contains only the authentication policies, while >>> in agressive mode the first message contains all properties and the nonce >>> (dh) >>> >>> Hth >>> Pj >>> >>> Sent from my iPad >>> >>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote: >>> >>> Thanks Boss:)..Let us wait & c >>> >>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles >>> <<[email protected]> >>> [email protected]> wrote: >>> >>>> True with AM, the pre-shared key is not used with shared secret to >>>> generate the encryption key. >>>> >>>> But how will the peer initiating, AM find a matching pre-shared keys >>>> with hostnames. The pre-shared key should be sent as an hash to other peer >>>> which also hashes it's pre-shared key and sees if it matches. Irrespective >>>> of whether it is AM or MM, this will happen. If you have configured >>>> hostname >>>> for the pre-shared key, how will IOS find a matching key? >>>> >>>> Anyway let's wait for others comment too. >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <<[email protected]> >>>> [email protected]> wrote: >>>> >>>>> hello Kingsley, >>>>> >>>>> First I would like to thank you for putting your efforts into this >>>>> great informative post. However let me argue that: >>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it >>>>> different from MM where PSK must be based on the peer address as the PSK >>>>> is >>>>> used in the DH KE algorithm. Thus I do believe there is no reason for the >>>>> initiator to look the peer address/hostname of the remote peer while >>>>> initiating. I hope someone can shed more light into this. As per your >>>>> statement: >>>>> >>>>> "The peer initiating the AM, sees the IP address in the crypto map and >>>>> tries to find a matching pre-shared key, when there is an interesting >>>>> traffic". The question raised is why it can't send based on hostnames. >>>>> >>>>> In AM as per my understanding the DH KE works in parallel with IKE IDs >>>>> and authentication process, i.e. the IDs are exchanged in the clear. >>>>> While I >>>>> believe it should work this way: >>>>> 1)Initiator sends to responder its ISAKMP Policy with its different >>>>> parameters & the responder replies having accepted a policy. >>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously. >>>>> >>>>> Gents will appreciate your support on this:) >>>>> >>>>> Thanks Kingsley:) >>>>> >>>>> >>>>> >>>>> >>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles >>>>> <<[email protected]> >>>>> [email protected]> wrote: >>>>> >>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2. >>>>>> >>>>>> Let me put my understanding: >>>>>> >>>>>> Aggressive mode can be used where the IP address of a peer keeps >>>>>> changing. >>>>>> >>>>>> 1) One peer will be configured for dynamic crypto map and this is the >>>>>> hub or server as the spoke's IP address keep changing. >>>>>> 2) The other peers will be configured with static crypto map with "set >>>>>> peer" of the hub's IP address. >>>>>> 3) Since the address of spokes keep changing, I opt for configuring >>>>>> hostnames on hub for the pre-shared keys. >>>>>> 4) In that case, the spokes should send the identity in hostnames. >>>>>> 5) The hub should send the identity in address. >>>>>> >>>>>> If you want to initiate AM, there are two ways either use isakmp >>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address" >>>>>> which doesn't need profiles. >>>>>> >>>>>> In AM, the risk is that the identity of the peers are revealed during >>>>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk >>>>>> but still the hub's address is exposed. >>>>>> >>>>>> The peer initiating the AM, sees the IP address in the crypto map and >>>>>> tries to find a matching pre-shared key, when there is an interesting >>>>>> traffic.If you configure >>>>>> as a hostname, then it can't find a match. Hence on the peer which >>>>>> initiates the AM, you need to configure with IP address. The hub can be >>>>>> configured hostname as it receiver not the initiator. >>>>>> >>>>>> >>>>>> *Spokes config* >>>>>> >>>>>> ip domain-name <http://cisco.com>cisco.com >>>>>> crypto isakmp policy 1 >>>>>> authentication pre-share >>>>>> crypto isakmp key cisco address 10.20.30.42 >>>>>> >>>>>> crypto isakmp profile prof >>>>>> >>>>>> ! This profile is incomplete (no match identity statement) >>>>>> keyring default >>>>>> self-identity fqdn >>>>>> initiate mode aggressive >>>>>> >>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>> >>>>>> crypto map cisco 1 ipsec-isakmp >>>>>> set peer 10.20.30.42 >>>>>> set transform-set tran >>>>>> set isakmp-profile prof >>>>>> match address 123 >>>>>> >>>>>> interface GigabitEthernet0/0 >>>>>> crypto map cisco >>>>>> >>>>>> >>>>>> *Hub's config* >>>>>> >>>>>> >>>>>> crypto isakmp policy 1 >>>>>> authentication pre-share >>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com> >>>>>> router1.cisco.com >>>>>> crypto isakmp identity address >>>>>> >>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>> >>>>>> crypto dynamic-map dynmap 1 >>>>>> set transform-set tran >>>>>> >>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap >>>>>> >>>>>> interface GigabitEthernet0/0 >>>>>> crypto map cisco >>>>>> >>>>>> Instead of dynamic crypto map, you can use static crypto map on the >>>>>> hub as following. the logic is still the same. >>>>>> >>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>> >>>>>> crypto map cisco 1 ipsec-isakmp >>>>>> set peer 10.20.30.41 >>>>>> set transform-set tran >>>>>> match address 123 >>>>>> >>>>>> interface GigabitEthernet0/0 >>>>>> crypto map cisco >>>>>> >>>>>> >>>>>> >>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to >>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml> >>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]> >>>>>> [email protected]> wrote: >>>>>> >>>>>>> I've had this issue before. I made this works in 2 ways >>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>>>>>> or >>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX to >>>>>>> 136.1.122.2 >>>>>>> >>>>>>> If this is correct, I don't know and never had anyone to explain me >>>>>>> why >>>>>>> >>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]> >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Dear Experts, >>>>>>>> >>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP >>>>>>>> Profiles, however I am not able to get why it doesn't work when >>>>>>>> running the >>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK >>>>>>>> or >>>>>>>> cert despite the fact that it exists. I would appreciate any input. >>>>>>>> >>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>>>>>> >>>>>>>> crypto isakmp profile AGGRESSIVE >>>>>>>> ! This profile is incomplete (no match identity statement) >>>>>>>> keyring default >>>>>>>> self-identity fqdn >>>>>>>> initiate mode aggressive >>>>>>>> ! >>>>>>>> >>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>>>>>> ! >>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>>>>>> crypto map R1R2 10 ipsec-isakmp >>>>>>>> set peer 136.1.122.2 >>>>>>>> set transform-set R1R2 >>>>>>>> match address LO12 >>>>>>>> >>>>>>>> >>>>>>>> interface FastEthernet0/0 >>>>>>>> ip address 136.1.121.1 255.255.255.0 >>>>>>>> duplex auto >>>>>>>> speed auto >>>>>>>> crypto map R1R2 >>>>>>>> >>>>>>>> >>>>>>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>>>>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>>>>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, >>>>>>>> peer port 500 >>>>>>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>>>>>> peer_handle = 0x80000010 >>>>>>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, >>>>>>>> refcount 1 for isakmp_initiator >>>>>>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>>>>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>>>>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>>>>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, >>>>>>>> trying Main mode. >>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. >>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not >>>>>>>> start Main mode >>>>>>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>>>>>> isadb_unlock_peer_delete_sa(), count 0 >>>>>>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>>>>>> 136.1.122.2: 83D50508 >>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, >>>>>>>> delme=83DE56A8 >>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: >>>>>>>> Failed to initialize SA >>>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, >>>>>>>> error 2. >>>>>>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI >>>>>>>> message(s) >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>> Best Regards >>>>>>>> >>>>>>>> -- >>>>>>>> KJ >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>>>> Cisco Security Professional >>>>>>> >>>>>>> _______________________________________________ >>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> KJ >>>>> >>>> >>>> >>> >>> >>> -- >>> KJ >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit <http://www.ipexpert.com>www.ipexpert.com >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
