Exactly :-)

Use IP address and the peer should be configured to send IKE identity of
address.

or

Use hostname and the peer should be configured to send IKE identity of
hostname. But we need to configure static DNS mapping using "ip host" or use
a DNS server. The IOS can't use hostname as such rather it needs to be
resolved to an IP address.


With regards
Kings

On Sun, Oct 10, 2010 at 5:29 PM, Piotr Matusiak <[email protected]> wrote:

> Yes.
>
> Something like this (simple topology like R1 ---- R2)
> Config on R1 should look like:
>
> ip host R2.cisco.com <http://r2.cisco.com/> 10.1.12.2
> !
> crypto keyring KEYS
>   pre-shared-key hostname R2.cisco.com <http://r2.cisco.com/> key cisco123
> !
> crypto isakmp profile IKE
>    keyring KEYS
>    self-identity fqdn
>    match identity host R2.cisco.com <http://r2.cisco.com/>
>    initiate mode aggressive
> !
>
> crypto ipsec profile IPSEC
>  set isakmp-profile IKE
>  set trans TS
>
> plus some obvious things like SVTI and crypto policy and transform set.
>
>
> cheers!
>
> Piotr
>
> 2010/10/10 Kingsley Charles <[email protected]>
>
> Hi Piotr
>>
>> If a peer is initiating AM, can it have the pre-shared key configured with
>> hostname?
>>
>>
>> With regards
>> Kings
>>
>>
>> On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote:
>>
>>> Gents,
>>>
>>> AM can authenticate peer using either IP, hostname or Certificate
>>> MM can use only IP or Certificate
>>>
>>> Really, don't get what are you looking for.
>>>
>>> Regards,
>>> Piotr
>>>
>>> 2010/10/10 Pieter-Jan Nefkens <[email protected]>
>>>
>>> Hello all,
>>>>
>>>> If i remember correctly, in isakmp main mode, the negotiation of
>>>> policies, such as dh group, encrypion, etc is done before the 
>>>> authentication
>>>> of the peer takes place.
>>>>
>>>> But in agressive mode, all these attributes are sent in one packet, thus
>>>> resulting in less packets, and everything must be just a-ok, as there will
>>>> be no negiotiation on the policies.
>>>>
>>>> So, in main mode, msg 1 contains only the authentication policies, while
>>>> in agressive mode the first message contains all properties and the nonce
>>>> (dh)
>>>>
>>>> Hth
>>>> Pj
>>>>
>>>> Sent from my iPad
>>>>
>>>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> wrote:
>>>>
>>>> Thanks Boss:)..Let us wait & c
>>>>
>>>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles 
>>>> <<[email protected]>
>>>> [email protected]> wrote:
>>>>
>>>>> True with AM, the pre-shared key is not used with shared secret to
>>>>> generate the encryption key.
>>>>>
>>>>> But how will the peer initiating,  AM find a matching pre-shared keys
>>>>> with hostnames. The pre-shared key should be sent as an hash to other peer
>>>>> which also hashes it's pre-shared key and sees if it matches. Irrespective
>>>>> of whether it is AM or MM, this will happen. If you have configured 
>>>>> hostname
>>>>> for the pre-shared key, how will IOS find a matching key?
>>>>>
>>>>> Anyway let's wait for others comment too.
>>>>>
>>>>>
>>>>> With regards
>>>>> Kings
>>>>>
>>>>>
>>>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <<[email protected]>
>>>>> [email protected]> wrote:
>>>>>
>>>>>> hello Kingsley,
>>>>>>
>>>>>> First I would like to thank you for putting your efforts into this
>>>>>> great informative post. However let me argue that:
>>>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
>>>>>> different from MM where PSK must be based on the peer address as the PSK 
>>>>>> is
>>>>>> used in the DH KE algorithm. Thus I do believe there is no reason for the
>>>>>> initiator to look the peer address/hostname of the remote peer while
>>>>>> initiating. I hope someone can shed more light into this. As per your
>>>>>> statement:
>>>>>>
>>>>>> "The peer initiating the AM, sees the IP address in the crypto map and
>>>>>> tries to find a matching pre-shared key, when there is an interesting
>>>>>> traffic". The question raised is why it can't send based on hostnames.
>>>>>>
>>>>>> In AM as per my understanding the DH KE works in parallel with IKE IDs
>>>>>> and authentication process, i.e. the IDs are exchanged in the clear. 
>>>>>> While I
>>>>>> believe it should work this way:
>>>>>> 1)Initiator sends to responder its ISAKMP Policy with its different
>>>>>> parameters & the responder replies having accepted a policy.
>>>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>>>>>>
>>>>>> Gents will appreciate your support on this:)
>>>>>>
>>>>>> Thanks Kingsley:)
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles 
>>>>>> <<[email protected]>
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on R1R2.
>>>>>>>
>>>>>>>
>>>>>>> Let me put my understanding:
>>>>>>>
>>>>>>> Aggressive mode can be used where the IP address of a peer keeps
>>>>>>> changing.
>>>>>>>
>>>>>>> 1) One peer will be configured for dynamic crypto map and this is the
>>>>>>> hub or server as the spoke's IP address keep changing.
>>>>>>> 2) The other peers will be configured with static crypto map with
>>>>>>> "set peer" of the hub's IP address.
>>>>>>> 3) Since the address of spokes keep changing, I opt for configuring
>>>>>>> hostnames on hub for the pre-shared keys.
>>>>>>> 4) In that case, the spokes should send the identity in hostnames.
>>>>>>> 5) The hub should send the identity in address.
>>>>>>>
>>>>>>> If you want to initiate AM, there are two ways either use isakmp
>>>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address"
>>>>>>> which doesn't need profiles.
>>>>>>>
>>>>>>> In AM, the risk is that the identity of the peers are revealed during
>>>>>>> ISAKMP phase 1. Since, the spoke's address changes there is not much 
>>>>>>> risk
>>>>>>> but still the hub's address is exposed.
>>>>>>>
>>>>>>> The peer initiating the AM, sees the IP address in the crypto map and
>>>>>>> tries to find a matching pre-shared key, when there is an interesting
>>>>>>> traffic.If you configure
>>>>>>> as a hostname, then it can't find a match. Hence on the peer which
>>>>>>> initiates the AM, you need to configure with IP address. The hub can be
>>>>>>> configured hostname as it receiver not the initiator.
>>>>>>>
>>>>>>>
>>>>>>> *Spokes config*
>>>>>>>
>>>>>>> ip domain-name <http://cisco.com>cisco.com
>>>>>>> crypto isakmp policy 1
>>>>>>>  authentication pre-share
>>>>>>> crypto isakmp key cisco address 10.20.30.42
>>>>>>>
>>>>>>> crypto isakmp profile prof
>>>>>>>
>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>    keyring default
>>>>>>>    self-identity fqdn
>>>>>>>    initiate mode aggressive
>>>>>>>
>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>
>>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>>  set peer 10.20.30.42
>>>>>>>  set transform-set tran
>>>>>>>  set isakmp-profile prof
>>>>>>>  match address 123
>>>>>>>
>>>>>>> interface GigabitEthernet0/0
>>>>>>>  crypto map cisco
>>>>>>>
>>>>>>>
>>>>>>> *Hub's config*
>>>>>>>
>>>>>>>
>>>>>>> crypto isakmp policy 1
>>>>>>>  authentication pre-share
>>>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com>
>>>>>>> router1.cisco.com
>>>>>>> crypto isakmp identity address
>>>>>>>
>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>
>>>>>>> crypto dynamic-map dynmap 1
>>>>>>>  set transform-set tran
>>>>>>>
>>>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>>>>>>
>>>>>>> interface GigabitEthernet0/0
>>>>>>>  crypto map cisco
>>>>>>>
>>>>>>> Instead of dynamic crypto map, you can use static crypto map on the
>>>>>>> hub as following. the logic is still the same.
>>>>>>>
>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>
>>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>>  set peer 10.20.30.41
>>>>>>>  set transform-set tran
>>>>>>>  match address 123
>>>>>>>
>>>>>>> interface GigabitEthernet0/0
>>>>>>>  crypto map cisco
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to
>>>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml>
>>>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>>>>>>
>>>>>>> With regards
>>>>>>> Kings
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]>
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> I've had this issue before. I made this works in 2 ways
>>>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>>>>>>> or
>>>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX
>>>>>>>> to 136.1.122.2
>>>>>>>>
>>>>>>>> If this is correct, I don't know and never had anyone to explain me
>>>>>>>> why
>>>>>>>>
>>>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <<[email protected]>
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> Dear Experts,
>>>>>>>>>
>>>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP
>>>>>>>>> Profiles, however I am not able to get why it doesn't work when 
>>>>>>>>> running the
>>>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a 
>>>>>>>>> PSK or
>>>>>>>>> cert despite the fact that it exists. I would appreciate any input.
>>>>>>>>>
>>>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>>>>>>
>>>>>>>>> crypto isakmp profile AGGRESSIVE
>>>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>>>    keyring default
>>>>>>>>>    self-identity fqdn
>>>>>>>>>    initiate mode aggressive
>>>>>>>>> !
>>>>>>>>>
>>>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>>>>>>> !
>>>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>>>>>>> crypto map R1R2 10 ipsec-isakmp
>>>>>>>>>  set peer 136.1.122.2
>>>>>>>>>  set transform-set R1R2
>>>>>>>>>  match address LO12
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> interface FastEthernet0/0
>>>>>>>>>  ip address 136.1.121.1 255.255.255.0
>>>>>>>>>  duplex auto
>>>>>>>>>  speed auto
>>>>>>>>>  crypto map R1R2
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>>>>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>>>>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2,
>>>>>>>>> peer port 500
>>>>>>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>>>>>>> peer_handle = 0x80000010
>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508,
>>>>>>>>> refcount 1 for isakmp_initiator
>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>>>>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>>>>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode,
>>>>>>>>> trying Main mode.
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
>>>>>>>>>
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not
>>>>>>>>> start Main mode
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>>>>>>> isadb_unlock_peer_delete_sa(), count 0
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>>>>>>> 136.1.122.2: 83D50508
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8,
>>>>>>>>> delme=83DE56A8
>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request:
>>>>>>>>> Failed to initialize SA
>>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0,
>>>>>>>>> error 2.
>>>>>>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1
>>>>>>>>> KMI message(s)
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> Best Regards
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> KJ
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>>>>> Cisco Security Professional
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> KJ
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> KJ
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>> _______________________________________________
>>> For more information regarding industry leading CCIE Lab training, please
>>> visit www.ipexpert.com
>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to