IOS crypto code for IKEv1 is messy. This is much better designed and structured in IKEv2. Anyway, in regards to the exam we all must live with all this mess :)
Regards, Piotr 2011/9/24 Kingsley Charles <[email protected]> > True Piotr. After repeated trials, now it works only with host mapping. It > seems 12.4(15)T code is broken with keyrings and ISAKMP profiles. > > > With regards > Kings > > > On Fri, Sep 23, 2011 at 1:32 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> Can you share your config, because I'm pretty sure it does not work >> without 'ip host' mapping. Even though it should work this way, I believe >> the reason it does not work is that it helps when you have dynamic IPs. With >> that you may configure DynDNS and dynamically resolve peer's IP address. >> >> Notice that, without 'ip host' mapping, the Aggressive Mode does not start >> at all. It tries MM and then fails because MM must be able to find PSK in >> the config via IP address (even if 'hostname' is an identity). >> >> >> Regards, >> Piotr >> >> >> >> 2011/9/22 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> After a couple of reloads and re-configuration, it works for me now. I >>> did try adding ip host earlier but didn't work. >>> >>> Till today, I thought ip host was necessary. But I see it working without >>> ip host command. >>> >>> In Main mode with PSK, we need the IP address for the pre-shared key. >>> But for Aggressive mode, do we need IP address for the pre-shared key? >>> >>> In aggressive, the initiator is going to send hostname as the IKE ID. The >>> remote peer has the pre-shared configued for that hostname. When it replies >>> back, the initiator is going to find the pre-shared key with the >>> IKE ID. In Aggressive mode, is the pre-shared key used for keying >>> material as done for Main mode? >>> >>> Please let me know your thoughts? >>> >>> With regards >>> Kings >>> >>> On Thu, Sep 22, 2011 at 9:58 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> what about >>>> >>>> ip host router3.king.com 10.20.30.40 >>>> >>>> ?? >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> >>>> >>>> >>>> 2011/9/22 Kingsley Charles <[email protected]> >>>> >>>>> Hi all >>>>> >>>>> Is it an issue in IOS or a silly mistake from my side? The following >>>>> configuration doesn't work for me. >>>>> >>>>> >>>>> crypto isakmp key cisco hostname router3.king.com >>>>> crypto isakmp profile prof >>>>> keyring default >>>>> self-identity fqdn >>>>> match identity host router3.king.com >>>>> initiate mode aggressive >>>>> ! >>>>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>>>> ! >>>>> crypto map cisco 1 ipsec-isakmp >>>>> set peer 10.20.30.40 >>>>> set transform-set tran >>>>> set isakmp-profile prof >>>>> match address 123 >>>>> reverse-route static >>>>> >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
