Yes.

Something like this (simple topology like R1 ---- R2)
Config on R1 should look like:

ip host R2.cisco.com <http://r2.cisco.com/> 10.1.12.2
!
crypto keyring KEYS
  pre-shared-key hostname R2.cisco.com <http://r2.cisco.com/> key cisco123
!
crypto isakmp profile IKE
   keyring KEYS
   self-identity fqdn
   match identity host R2.cisco.com <http://r2.cisco.com/>
   initiate mode aggressive
!
crypto ipsec profile IPSEC
 set isakmp-profile IKE
 set trans TS

plus some obvious things like SVTI and crypto policy and transform set.


cheers!

Piotr

2010/10/10 Kingsley Charles <[email protected]>

> Hi Piotr
>
> If a peer is initiating AM, can it have the pre-shared key configured with
> hostname?
>
>
> With regards
> Kings
>
>
> On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote:
>
>> Gents,
>>
>> AM can authenticate peer using either IP, hostname or Certificate
>> MM can use only IP or Certificate
>>
>> Really, don't get what are you looking for.
>>
>> Regards,
>> Piotr
>>
>> 2010/10/10 Pieter-Jan Nefkens <[email protected]>
>>
>> Hello all,
>>>
>>> If i remember correctly, in isakmp main mode, the negotiation of
>>> policies, such as dh group, encrypion, etc is done before the authentication
>>> of the peer takes place.
>>>
>>> But in agressive mode, all these attributes are sent in one packet, thus
>>> resulting in less packets, and everything must be just a-ok, as there will
>>> be no negiotiation on the policies.
>>>
>>> So, in main mode, msg 1 contains only the authentication policies, while
>>> in agressive mode the first message contains all properties and the nonce
>>> (dh)
>>>
>>> Hth
>>> Pj
>>>
>>> Sent from my iPad
>>>
>>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote:
>>>
>>> Thanks Boss:)..Let us wait & c
>>>
>>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles 
>>> <<[email protected]>
>>> [email protected]> wrote:
>>>
>>>> True with AM, the pre-shared key is not used with shared secret to
>>>> generate the encryption key.
>>>>
>>>> But how will the peer initiating,  AM find a matching pre-shared keys
>>>> with hostnames. The pre-shared key should be sent as an hash to other peer
>>>> which also hashes it's pre-shared key and sees if it matches. Irrespective
>>>> of whether it is AM or MM, this will happen. If you have configured 
>>>> hostname
>>>> for the pre-shared key, how will IOS find a matching key?
>>>>
>>>> Anyway let's wait for others comment too.
>>>>
>>>>
>>>> With regards
>>>> Kings
>>>>
>>>>
>>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <<[email protected]>
>>>> [email protected]> wrote:
>>>>
>>>>> hello Kingsley,
>>>>>
>>>>> First I would like to thank you for putting your efforts into this
>>>>> great informative post. However let me argue that:
>>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
>>>>> different from MM where PSK must be based on the peer address as the PSK 
>>>>> is
>>>>> used in the DH KE algorithm. Thus I do believe there is no reason for the
>>>>> initiator to look the peer address/hostname of the remote peer while
>>>>> initiating. I hope someone can shed more light into this. As per your
>>>>> statement:
>>>>>
>>>>> "The peer initiating the AM, sees the IP address in the crypto map and
>>>>> tries to find a matching pre-shared key, when there is an interesting
>>>>> traffic". The question raised is why it can't send based on hostnames.
>>>>>
>>>>> In AM as per my understanding the DH KE works in parallel with IKE IDs
>>>>> and authentication process, i.e. the IDs are exchanged in the clear. 
>>>>> While I
>>>>> believe it should work this way:
>>>>> 1)Initiator sends to responder its ISAKMP Policy with its different
>>>>> parameters & the responder replies having accepted a policy.
>>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>>>>>
>>>>> Gents will appreciate your support on this:)
>>>>>
>>>>> Thanks Kingsley:)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles 
>>>>> <<[email protected]>
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>>>>>>
>>>>>> Let me put my understanding:
>>>>>>
>>>>>> Aggressive mode can be used where the IP address of a peer keeps
>>>>>> changing.
>>>>>>
>>>>>> 1) One peer will be configured for dynamic crypto map and this is the
>>>>>> hub or server as the spoke's IP address keep changing.
>>>>>> 2) The other peers will be configured with static crypto map with "set
>>>>>> peer" of the hub's IP address.
>>>>>> 3) Since the address of spokes keep changing, I opt for configuring
>>>>>> hostnames on hub for the pre-shared keys.
>>>>>> 4) In that case, the spokes should send the identity in hostnames.
>>>>>> 5) The hub should send the identity in address.
>>>>>>
>>>>>> If you want to initiate AM, there are two ways either use isakmp
>>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address"
>>>>>> which doesn't need profiles.
>>>>>>
>>>>>> In AM, the risk is that the identity of the peers are revealed during
>>>>>> ISAKMP phase 1. Since, the spoke's address changes there is not much risk
>>>>>> but still the hub's address is exposed.
>>>>>>
>>>>>> The peer initiating the AM, sees the IP address in the crypto map and
>>>>>> tries to find a matching pre-shared key, when there is an interesting
>>>>>> traffic.If you configure
>>>>>> as a hostname, then it can't find a match. Hence on the peer which
>>>>>> initiates the AM, you need to configure with IP address. The hub can be
>>>>>> configured hostname as it receiver not the initiator.
>>>>>>
>>>>>>
>>>>>> *Spokes config*
>>>>>>
>>>>>> ip domain-name <http://cisco.com>cisco.com
>>>>>> crypto isakmp policy 1
>>>>>>  authentication pre-share
>>>>>> crypto isakmp key cisco address 10.20.30.42
>>>>>>
>>>>>> crypto isakmp profile prof
>>>>>>
>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>    keyring default
>>>>>>    self-identity fqdn
>>>>>>    initiate mode aggressive
>>>>>>
>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>
>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>  set peer 10.20.30.42
>>>>>>  set transform-set tran
>>>>>>  set isakmp-profile prof
>>>>>>  match address 123
>>>>>>
>>>>>> interface GigabitEthernet0/0
>>>>>>  crypto map cisco
>>>>>>
>>>>>>
>>>>>> *Hub's config*
>>>>>>
>>>>>>
>>>>>> crypto isakmp policy 1
>>>>>>  authentication pre-share
>>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com>
>>>>>> router1.cisco.com
>>>>>> crypto isakmp identity address
>>>>>>
>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>
>>>>>> crypto dynamic-map dynmap 1
>>>>>>  set transform-set tran
>>>>>>
>>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>>>>>
>>>>>> interface GigabitEthernet0/0
>>>>>>  crypto map cisco
>>>>>>
>>>>>> Instead of dynamic crypto map, you can use static crypto map on the
>>>>>> hub as following. the logic is still the same.
>>>>>>
>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>
>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>  set peer 10.20.30.41
>>>>>>  set transform-set tran
>>>>>>  match address 123
>>>>>>
>>>>>> interface GigabitEthernet0/0
>>>>>>  crypto map cisco
>>>>>>
>>>>>>
>>>>>>
>>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to
>>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml>
>>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>>>>>
>>>>>> With regards
>>>>>> Kings
>>>>>>
>>>>>>
>>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]>
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> I've had this issue before. I made this works in 2 ways
>>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>>>>>> or
>>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX to
>>>>>>> 136.1.122.2
>>>>>>>
>>>>>>> If this is correct, I don't know and never had anyone to explain me
>>>>>>> why
>>>>>>>
>>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]>
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Dear Experts,
>>>>>>>>
>>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP
>>>>>>>> Profiles, however I am not able to get why it doesn't work when 
>>>>>>>> running the
>>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a PSK 
>>>>>>>> or
>>>>>>>> cert despite the fact that it exists. I would appreciate any input.
>>>>>>>>
>>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>>>>>
>>>>>>>> crypto isakmp profile AGGRESSIVE
>>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>>    keyring default
>>>>>>>>    self-identity fqdn
>>>>>>>>    initiate mode aggressive
>>>>>>>> !
>>>>>>>>
>>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>>>>>> !
>>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>>>>>> crypto map R1R2 10 ipsec-isakmp
>>>>>>>>  set peer 136.1.122.2
>>>>>>>>  set transform-set R1R2
>>>>>>>>  match address LO12
>>>>>>>>
>>>>>>>>
>>>>>>>> interface FastEthernet0/0
>>>>>>>>  ip address 136.1.121.1 255.255.255.0
>>>>>>>>  duplex auto
>>>>>>>>  speed auto
>>>>>>>>  crypto map R1R2
>>>>>>>>
>>>>>>>>
>>>>>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>>>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>>>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2,
>>>>>>>> peer port 500
>>>>>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>>>>>> peer_handle = 0x80000010
>>>>>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508,
>>>>>>>> refcount 1 for isakmp_initiator
>>>>>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>>>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>>>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>>>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode,
>>>>>>>> trying Main mode.
>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not
>>>>>>>> start Main mode
>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>>>>>> isadb_unlock_peer_delete_sa(), count 0
>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>>>>>> 136.1.122.2: 83D50508
>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8,
>>>>>>>> delme=83DE56A8
>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request:
>>>>>>>> Failed to initialize SA
>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0,
>>>>>>>> error 2.
>>>>>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
>>>>>>>> message(s)
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>>
>>>>>>>> Best Regards
>>>>>>>>
>>>>>>>> --
>>>>>>>> KJ
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>>>> Cisco Security Professional
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> KJ
>>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> KJ
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit <http://www.ipexpert.com>www.ipexpert.com
>>>
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to