Precisely!
2010/10/10 Kingsley Charles <[email protected]> > Exactly :-) > > Use IP address and the peer should be configured to send IKE identity of > address. > > or > > Use hostname and the peer should be configured to send IKE identity of > hostname. But we need to configure static DNS mapping using "ip host" or use > a DNS server. The IOS can't use hostname as such rather it needs to be > resolved to an IP address. > > > With regards > Kings > > > On Sun, Oct 10, 2010 at 5:29 PM, Piotr Matusiak <[email protected]> wrote: > >> Yes. >> >> Something like this (simple topology like R1 ---- R2) >> Config on R1 should look like: >> >> ip host R2.cisco.com <http://r2.cisco.com/> 10.1.12.2 >> ! >> crypto keyring KEYS >> pre-shared-key hostname R2.cisco.com <http://r2.cisco.com/> key >> cisco123 >> ! >> crypto isakmp profile IKE >> keyring KEYS >> self-identity fqdn >> match identity host R2.cisco.com <http://r2.cisco.com/> >> initiate mode aggressive >> ! >> >> crypto ipsec profile IPSEC >> set isakmp-profile IKE >> set trans TS >> >> plus some obvious things like SVTI and crypto policy and transform set. >> >> >> cheers! >> >> Piotr >> >> 2010/10/10 Kingsley Charles <[email protected]> >> >> Hi Piotr >>> >>> If a peer is initiating AM, can it have the pre-shared key configured >>> with hostname? >>> >>> >>> With regards >>> Kings >>> >>> >>> On Sun, Oct 10, 2010 at 5:19 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Gents, >>>> >>>> AM can authenticate peer using either IP, hostname or Certificate >>>> MM can use only IP or Certificate >>>> >>>> Really, don't get what are you looking for. >>>> >>>> Regards, >>>> Piotr >>>> >>>> 2010/10/10 Pieter-Jan Nefkens <[email protected]> >>>> >>>> Hello all, >>>>> >>>>> If i remember correctly, in isakmp main mode, the negotiation of >>>>> policies, such as dh group, encrypion, etc is done before the >>>>> authentication >>>>> of the peer takes place. >>>>> >>>>> But in agressive mode, all these attributes are sent in one packet, >>>>> thus resulting in less packets, and everything must be just a-ok, as there >>>>> will be no negiotiation on the policies. >>>>> >>>>> So, in main mode, msg 1 contains only the authentication policies, >>>>> while in agressive mode the first message contains all properties and the >>>>> nonce (dh) >>>>> >>>>> Hth >>>>> Pj >>>>> >>>>> Sent from my iPad >>>>> >>>>> On 10 okt. 2010, at 08:18, karim jamali <[email protected]> >>>>> wrote: >>>>> >>>>> Thanks Boss:)..Let us wait & c >>>>> >>>>> On Sun, Oct 10, 2010 at 6:13 AM, Kingsley Charles >>>>> <<[email protected]> >>>>> [email protected]> wrote: >>>>> >>>>>> True with AM, the pre-shared key is not used with shared secret to >>>>>> generate the encryption key. >>>>>> >>>>>> But how will the peer initiating, AM find a matching pre-shared keys >>>>>> with hostnames. The pre-shared key should be sent as an hash to other >>>>>> peer >>>>>> which also hashes it's pre-shared key and sees if it matches. >>>>>> Irrespective >>>>>> of whether it is AM or MM, this will happen. If you have configured >>>>>> hostname >>>>>> for the pre-shared key, how will IOS find a matching key? >>>>>> >>>>>> Anyway let's wait for others comment too. >>>>>> >>>>>> >>>>>> With regards >>>>>> Kings >>>>>> >>>>>> >>>>>> On Sun, Oct 10, 2010 at 2:00 AM, karim jamali <<[email protected]> >>>>>> [email protected]> wrote: >>>>>> >>>>>>> hello Kingsley, >>>>>>> >>>>>>> First I would like to thank you for putting your efforts into this >>>>>>> great informative post. However let me argue that: >>>>>>> 1)In AM the DH KE algorithm doesn't depend on the PSK which makes it >>>>>>> different from MM where PSK must be based on the peer address as the >>>>>>> PSK is >>>>>>> used in the DH KE algorithm. Thus I do believe there is no reason for >>>>>>> the >>>>>>> initiator to look the peer address/hostname of the remote peer while >>>>>>> initiating. I hope someone can shed more light into this. As per your >>>>>>> statement: >>>>>>> >>>>>>> "The peer initiating the AM, sees the IP address in the crypto map >>>>>>> and tries to find a matching pre-shared key, when there is an >>>>>>> interesting >>>>>>> traffic". The question raised is why it can't send based on hostnames. >>>>>>> >>>>>>> In AM as per my understanding the DH KE works in parallel with IKE >>>>>>> IDs and authentication process, i.e. the IDs are exchanged in the clear. >>>>>>> While I believe it should work this way: >>>>>>> 1)Initiator sends to responder its ISAKMP Policy with its different >>>>>>> parameters & the responder replies having accepted a policy. >>>>>>> 2)DH KE & IKE IDs exchange for authentication happen simultaneously. >>>>>>> >>>>>>> Gents will appreciate your support on this:) >>>>>>> >>>>>>> Thanks Kingsley:) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Sat, Oct 9, 2010 at 11:07 AM, Kingsley Charles >>>>>>> <<[email protected]> >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Karim, configure crypto isakmp key CISCO address 136.1.122.2 on >>>>>>>> R1R2. >>>>>>>> >>>>>>>> Let me put my understanding: >>>>>>>> >>>>>>>> Aggressive mode can be used where the IP address of a peer keeps >>>>>>>> changing. >>>>>>>> >>>>>>>> 1) One peer will be configured for dynamic crypto map and this is >>>>>>>> the hub or server as the spoke's IP address keep changing. >>>>>>>> 2) The other peers will be configured with static crypto map with >>>>>>>> "set peer" of the hub's IP address. >>>>>>>> 3) Since the address of spokes keep changing, I opt for configuring >>>>>>>> hostnames on hub for the pre-shared keys. >>>>>>>> 4) In that case, the spokes should send the identity in hostnames. >>>>>>>> 5) The hub should send the identity in address. >>>>>>>> >>>>>>>> If you want to initiate AM, there are two ways either use isakmp >>>>>>>> profile with "initiate mode aggressive" or "crypto isakmp peer address" >>>>>>>> which doesn't need profiles. >>>>>>>> >>>>>>>> In AM, the risk is that the identity of the peers are revealed >>>>>>>> during ISAKMP phase 1. Since, the spoke's address changes there is not >>>>>>>> much >>>>>>>> risk but still the hub's address is exposed. >>>>>>>> >>>>>>>> The peer initiating the AM, sees the IP address in the crypto map >>>>>>>> and tries to find a matching pre-shared key, when there is an >>>>>>>> interesting >>>>>>>> traffic.If you configure >>>>>>>> as a hostname, then it can't find a match. Hence on the peer which >>>>>>>> initiates the AM, you need to configure with IP address. The hub can be >>>>>>>> configured hostname as it receiver not the initiator. >>>>>>>> >>>>>>>> >>>>>>>> *Spokes config* >>>>>>>> >>>>>>>> ip domain-name <http://cisco.com>cisco.com >>>>>>>> crypto isakmp policy 1 >>>>>>>> authentication pre-share >>>>>>>> crypto isakmp key cisco address 10.20.30.42 >>>>>>>> >>>>>>>> crypto isakmp profile prof >>>>>>>> >>>>>>>> ! This profile is incomplete (no match identity statement) >>>>>>>> keyring default >>>>>>>> self-identity fqdn >>>>>>>> initiate mode aggressive >>>>>>>> >>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>>>> >>>>>>>> crypto map cisco 1 ipsec-isakmp >>>>>>>> set peer 10.20.30.42 >>>>>>>> set transform-set tran >>>>>>>> set isakmp-profile prof >>>>>>>> match address 123 >>>>>>>> >>>>>>>> interface GigabitEthernet0/0 >>>>>>>> crypto map cisco >>>>>>>> >>>>>>>> >>>>>>>> *Hub's config* >>>>>>>> >>>>>>>> >>>>>>>> crypto isakmp policy 1 >>>>>>>> authentication pre-share >>>>>>>> crypto isakmp key cisco hostname <http://router1.cisco.com> >>>>>>>> router1.cisco.com >>>>>>>> crypto isakmp identity address >>>>>>>> >>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>>>> >>>>>>>> crypto dynamic-map dynmap 1 >>>>>>>> set transform-set tran >>>>>>>> >>>>>>>> crypto map cisco 1 ipsec-isakmp dynamic dynmap >>>>>>>> >>>>>>>> interface GigabitEthernet0/0 >>>>>>>> crypto map cisco >>>>>>>> >>>>>>>> Instead of dynamic crypto map, you can use static crypto map on the >>>>>>>> hub as following. the logic is still the same. >>>>>>>> >>>>>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>>>>> >>>>>>>> crypto map cisco 1 ipsec-isakmp >>>>>>>> set peer 10.20.30.41 >>>>>>>> set transform-set tran >>>>>>>> match address 123 >>>>>>>> >>>>>>>> interface GigabitEthernet0/0 >>>>>>>> crypto map cisco >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Without ISAKMP profiles, you can initiate AM. Please refer to >>>>>>>> <http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml> >>>>>>>> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094525.shtml >>>>>>>> >>>>>>>> With regards >>>>>>>> Kings >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Oct 8, 2010 at 8:59 PM, Bruno < <[email protected]> >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> I've had this issue before. I made this works in 2 ways >>>>>>>>> 1 - add also "crypto isakmp key CISCO address 136.1.122.2 >>>>>>>>> or >>>>>>>>> 2 - add a local host entry on the router mapping the hostname XXXX >>>>>>>>> to 136.1.122.2 >>>>>>>>> >>>>>>>>> If this is correct, I don't know and never had anyone to explain me >>>>>>>>> why >>>>>>>>> >>>>>>>>> On Fri, Oct 8, 2010 at 12:20 PM, karim jamali >>>>>>>>> <<[email protected]> >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Dear Experts, >>>>>>>>>> >>>>>>>>>> I am trying to run IKE Phase I in Aggressive mode using ISAKMP >>>>>>>>>> Profiles, however I am not able to get why it doesn't work when >>>>>>>>>> running the >>>>>>>>>> debugs I see that it can't run AGGRESSIVE mode and it can't find a >>>>>>>>>> PSK or >>>>>>>>>> cert despite the fact that it exists. I would appreciate any input. >>>>>>>>>> >>>>>>>>>> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> >>>>>>>>>> >>>>>>>>>> crypto isakmp profile AGGRESSIVE >>>>>>>>>> ! This profile is incomplete (no match identity statement) >>>>>>>>>> keyring default >>>>>>>>>> self-identity fqdn >>>>>>>>>> initiate mode aggressive >>>>>>>>>> ! >>>>>>>>>> >>>>>>>>>> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac >>>>>>>>>> ! >>>>>>>>>> crypto map R1R2 isakmp-profile AGGRESSIVE >>>>>>>>>> crypto map R1R2 10 ipsec-isakmp >>>>>>>>>> set peer 136.1.122.2 >>>>>>>>>> set transform-set R1R2 >>>>>>>>>> match address LO12 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> interface FastEthernet0/0 >>>>>>>>>> ip address 136.1.121.1 255.255.255.0 >>>>>>>>>> duplex auto >>>>>>>>>> speed auto >>>>>>>>>> crypto map R1R2 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 >>>>>>>>>> Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE >>>>>>>>>> Oct 8 04:54:52.071: ISAKMP: Created a peer struct for >>>>>>>>>> 136.1.122.2, peer port 500 >>>>>>>>>> Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 >>>>>>>>>> peer_handle = 0x80000010 >>>>>>>>>> Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, >>>>>>>>>> refcount 1 for isakmp_initiator >>>>>>>>>> Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 >>>>>>>>>> Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE >>>>>>>>>> Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 >>>>>>>>>> Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, >>>>>>>>>> trying Main mode. >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address >>>>>>>>>> key. >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can >>>>>>>>>> not start Main mode >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for >>>>>>>>>> isadb_unlock_peer_delete_sa(), count 0 >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for >>>>>>>>>> 136.1.122.2: 83D50508 >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, >>>>>>>>>> delme=83DE56A8 >>>>>>>>>> Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 >>>>>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: >>>>>>>>>> Failed to initialize SA >>>>>>>>>> Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, >>>>>>>>>> error 2. >>>>>>>>>> Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 >>>>>>>>>> KMI message(s) >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> >>>>>>>>>> Best Regards >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> KJ >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Bruno Fagioli (by Jaunty Jackalope) >>>>>>>>> Cisco Security Professional >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> For more information regarding industry leading CCIE Lab training, >>>>>>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> KJ >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> KJ >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit <http://www.ipexpert.com>www.ipexpert.com >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
