Precisely!

2010/10/10 Kingsley Charles <[email protected]>

> Exactly :-)
>
> Use IP address and the peer should be configured to send IKE identity of
> address.
>
> or
>
> Use hostname and the peer should be configured to send IKE identity of
> hostname. But we need to configure static DNS mapping using "ip host" or use
> a DNS server. The IOS can't use hostname as such rather it needs to be
> resolved to an IP address.
>
>
> With regards
> Kings
>
>
> On Sun, Oct 10, 2010 at 5:29 PM, Piotr Matusiak <[email protected]> wrote:
>
>> Yes.
>>
>> Something like this (simple topology like R1 ---- R2)
>> Config on R1 should look like:
>>
>> ip host R2.cisco.com <http://r2.cisco.com/> 10.1.12.2
>> !
>> crypto keyring KEYS
>>   pre-shared-key hostname R2.cisco.com <http://r2.cisco.com/> key
>> cisco123
>> !
>> crypto isakmp profile IKE
>>    keyring KEYS
>>    self-identity fqdn
>>    match identity host R2.cisco.com <http://r2.cisco.com/>
>>    initiate mode aggressive
>> !
>>
>> crypto ipsec profile IPSEC
>>  set isakmp-profile IKE
>>  set trans TS
>>
>> plus some obvious things like SVTI and crypto policy and transform set.
>>
>>
>> cheers!
>>
>> Piotr
>>
>> 2010/10/10 Kingsley Charles <[email protected]>
>>
>> Hi Piotr
>>>
>>> If a peer is initiating AM, can it have the pre-shared key configured
>>> with hostname?
>>>
>>>
>>> With regards
>>> Kings
>>>
>>>
>>> On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote:
>>>
>>>> Gents,
>>>>
>>>> AM can authenticate peer using either IP, hostname or Certificate
>>>> MM can use only IP or Certificate
>>>>
>>>> Really, don't get what are you looking for.
>>>>
>>>> Regards,
>>>> Piotr
>>>>
>>>> 2010/10/10 Pieter-Jan Nefkens <[email protected]>
>>>>
>>>> Hello all,
>>>>>
>>>>> If i remember correctly, in isakmp main mode, the negotiation of
>>>>> policies, such as dh group, encrypion, etc is done before the 
>>>>> authentication
>>>>> of the peer takes place.
>>>>>
>>>>> But in agressive mode, all these attributes are sent in one packet,
>>>>> thus resulting in less packets, and everything must be just a-ok, as there
>>>>> will be no negiotiation on the policies.
>>>>>
>>>>> So, in main mode, msg 1 contains only the authentication policies,
>>>>> while in agressive mode the first message contains all properties and the
>>>>> nonce (dh)
>>>>>
>>>>> Hth
>>>>> Pj
>>>>>
>>>>> Sent from my iPad
>>>>>
>>>>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]>
>>>>> wrote:
>>>>>
>>>>> Thanks Boss:)..Let us wait & c
>>>>>
>>>>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles 
>>>>> <<[email protected]>
>>>>> [email protected]> wrote:
>>>>>
>>>>>> True with AM, the pre-shared key is not used with shared secret to
>>>>>> generate the encryption key.
>>>>>>
>>>>>> But how will the peer initiating,  AM find a matching pre-shared keys
>>>>>> with hostnames. The pre-shared key should be sent as an hash to other 
>>>>>> peer
>>>>>> which also hashes it's pre-shared key and sees if it matches. 
>>>>>> Irrespective
>>>>>> of whether it is AM or MM, this will happen. If you have configured 
>>>>>> hostname
>>>>>> for the pre-shared key, how will IOS find a matching key?
>>>>>>
>>>>>> Anyway let's wait for others comment too.
>>>>>>
>>>>>>
>>>>>> With regards
>>>>>> Kings
>>>>>>
>>>>>>
>>>>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <<[email protected]>
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> hello Kingsley,
>>>>>>>
>>>>>>> First I would like to thank you for putting your efforts into this
>>>>>>> great informative post. However let me argue that:
>>>>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it
>>>>>>> different from MM where PSK must be based on the peer address as the 
>>>>>>> PSK is
>>>>>>> used in the DH KE algorithm. Thus I do believe there is no reason for 
>>>>>>> the
>>>>>>> initiator to look the peer address/hostname of the remote peer while
>>>>>>> initiating. I hope someone can shed more light into this. As per your
>>>>>>> statement:
>>>>>>>
>>>>>>> "The peer initiating the AM, sees the IP address in the crypto map
>>>>>>> and tries to find a matching pre-shared key, when there is an 
>>>>>>> interesting
>>>>>>> traffic". The question raised is why it can't send based on hostnames.
>>>>>>>
>>>>>>> In AM as per my understanding the DH KE works in parallel with IKE
>>>>>>> IDs and authentication process, i.e. the IDs are exchanged in the clear.
>>>>>>> While I believe it should work this way:
>>>>>>> 1)Initiator sends to responder its ISAKMP Policy with its different
>>>>>>> parameters & the responder replies having accepted a policy.
>>>>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously.
>>>>>>>
>>>>>>> Gents will appreciate your support on this:)
>>>>>>>
>>>>>>> Thanks Kingsley:)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles 
>>>>>>> <<[email protected]>
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on
>>>>>>>> R1R2.
>>>>>>>>
>>>>>>>> Let me put my understanding:
>>>>>>>>
>>>>>>>> Aggressive mode can be used where the IP address of a peer keeps
>>>>>>>> changing.
>>>>>>>>
>>>>>>>> 1) One peer will be configured for dynamic crypto map and this is
>>>>>>>> the hub or server as the spoke's IP address keep changing.
>>>>>>>> 2) The other peers will be configured with static crypto map with
>>>>>>>> "set peer" of the hub's IP address.
>>>>>>>> 3) Since the address of spokes keep changing, I opt for configuring
>>>>>>>> hostnames on hub for the pre-shared keys.
>>>>>>>> 4) In that case, the spokes should send the identity in hostnames.
>>>>>>>> 5) The hub should send the identity in address.
>>>>>>>>
>>>>>>>> If you want to initiate AM, there are two ways either use isakmp
>>>>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address"
>>>>>>>> which doesn't need profiles.
>>>>>>>>
>>>>>>>> In AM, the risk is that the identity of the peers are revealed
>>>>>>>> during ISAKMP phase 1. Since, the spoke's address changes there is not 
>>>>>>>> much
>>>>>>>> risk but still the hub's address is exposed.
>>>>>>>>
>>>>>>>> The peer initiating the AM, sees the IP address in the crypto map
>>>>>>>> and tries to find a matching pre-shared key, when there is an 
>>>>>>>> interesting
>>>>>>>> traffic.If you configure
>>>>>>>> as a hostname, then it can't find a match. Hence on the peer which
>>>>>>>> initiates the AM, you need to configure with IP address. The hub can be
>>>>>>>> configured hostname as it receiver not the initiator.
>>>>>>>>
>>>>>>>>
>>>>>>>> *Spokes config*
>>>>>>>>
>>>>>>>> ip domain-name <http://cisco.com>cisco.com
>>>>>>>> crypto isakmp policy 1
>>>>>>>>  authentication pre-share
>>>>>>>> crypto isakmp key cisco address 10.20.30.42
>>>>>>>>
>>>>>>>> crypto isakmp profile prof
>>>>>>>>
>>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>>    keyring default
>>>>>>>>    self-identity fqdn
>>>>>>>>    initiate mode aggressive
>>>>>>>>
>>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>>
>>>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>>>  set peer 10.20.30.42
>>>>>>>>  set transform-set tran
>>>>>>>>  set isakmp-profile prof
>>>>>>>>  match address 123
>>>>>>>>
>>>>>>>> interface GigabitEthernet0/0
>>>>>>>>  crypto map cisco
>>>>>>>>
>>>>>>>>
>>>>>>>> *Hub's config*
>>>>>>>>
>>>>>>>>
>>>>>>>> crypto isakmp policy 1
>>>>>>>>  authentication pre-share
>>>>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com>
>>>>>>>> router1.cisco.com
>>>>>>>> crypto isakmp identity address
>>>>>>>>
>>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>>
>>>>>>>> crypto dynamic-map dynmap 1
>>>>>>>>  set transform-set tran
>>>>>>>>
>>>>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap
>>>>>>>>
>>>>>>>> interface GigabitEthernet0/0
>>>>>>>>  crypto map cisco
>>>>>>>>
>>>>>>>> Instead of dynamic crypto map, you can use static crypto map on the
>>>>>>>> hub as following. the logic is still the same.
>>>>>>>>
>>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac
>>>>>>>>
>>>>>>>> crypto map cisco 1 ipsec-isakmp
>>>>>>>>  set peer 10.20.30.41
>>>>>>>>  set transform-set tran
>>>>>>>>  match address 123
>>>>>>>>
>>>>>>>> interface GigabitEthernet0/0
>>>>>>>>  crypto map cisco
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to
>>>>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml>
>>>>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml
>>>>>>>>
>>>>>>>> With regards
>>>>>>>> Kings
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]>
>>>>>>>> [email protected]> wrote:
>>>>>>>>
>>>>>>>>> I've had this issue before. I made this works in 2 ways
>>>>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2
>>>>>>>>> or
>>>>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX
>>>>>>>>> to 136.1.122.2
>>>>>>>>>
>>>>>>>>> If this is correct, I don't know and never had anyone to explain me
>>>>>>>>> why
>>>>>>>>>
>>>>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali 
>>>>>>>>> <<[email protected]>
>>>>>>>>> [email protected]> wrote:
>>>>>>>>>
>>>>>>>>>> Dear Experts,
>>>>>>>>>>
>>>>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP
>>>>>>>>>> Profiles, however I am not able to get why it doesn't work when 
>>>>>>>>>> running the
>>>>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a 
>>>>>>>>>> PSK or
>>>>>>>>>> cert despite the fact that it exists. I would appreciate any input.
>>>>>>>>>>
>>>>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>>>>>>>>>>
>>>>>>>>>> crypto isakmp profile AGGRESSIVE
>>>>>>>>>> ! This profile is incomplete (no match identity statement)
>>>>>>>>>>    keyring default
>>>>>>>>>>    self-identity fqdn
>>>>>>>>>>    initiate mode aggressive
>>>>>>>>>> !
>>>>>>>>>>
>>>>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
>>>>>>>>>> !
>>>>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE
>>>>>>>>>> crypto map R1R2 10 ipsec-isakmp
>>>>>>>>>>  set peer 136.1.122.2
>>>>>>>>>>  set transform-set R1R2
>>>>>>>>>>  match address LO12
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> interface FastEthernet0/0
>>>>>>>>>>  ip address 136.1.121.1 255.255.255.0
>>>>>>>>>>  duplex auto
>>>>>>>>>>  speed auto
>>>>>>>>>>  crypto map R1R2
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
>>>>>>>>>> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
>>>>>>>>>> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for
>>>>>>>>>> 136.1.122.2, peer port 500
>>>>>>>>>> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508
>>>>>>>>>> peer_handle = 0x80000010
>>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508,
>>>>>>>>>> refcount 1 for isakmp_initiator
>>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
>>>>>>>>>> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
>>>>>>>>>> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
>>>>>>>>>> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode,
>>>>>>>>>> trying Main mode.
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address
>>>>>>>>>> key.
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can
>>>>>>>>>> not start Main mode
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
>>>>>>>>>> isadb_unlock_peer_delete_sa(), count 0
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
>>>>>>>>>> 136.1.122.2: 83D50508
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8,
>>>>>>>>>> delme=83DE56A8
>>>>>>>>>> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
>>>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request:
>>>>>>>>>> Failed to initialize SA
>>>>>>>>>> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0,
>>>>>>>>>> error 2.
>>>>>>>>>> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1
>>>>>>>>>> KMI message(s)
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> Best Regards
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> KJ
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Bruno Fagioli (by Jaunty Jackalope)
>>>>>>>>> Cisco Security Professional
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> For more information regarding industry leading CCIE Lab training,
>>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> KJ
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> KJ
>>>>>
>>>>> _______________________________________________
>>>>> For more information regarding industry leading CCIE Lab training,
>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> For more information regarding industry leading CCIE Lab training,
>>>>> please visit www.ipexpert.com
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> For more information regarding industry leading CCIE Lab training,
>>>> please visit www.ipexpert.com
>>>>
>>>>
>>>
>>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to