Guys,
Can someone explain to me why is this working?
I have got an IPSEC tunnel between R1 and R7 using hostname as IKE ID.
Because I'm using hostname as ID I'm forced to use Aggressive mode which
is fine.
What I don't understand is how it is possible that the PSK is matched based
on the IKE ID (hostname) when in the configuration on the receiving router
doesn't have anything to match that specific IKE ID. There is no dns server
or local ip host configured on the routers.
I can change the user-fqdn to any random string and the tunnel still comes
up.
Thanks!
R7
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp peer address 8.9.11.1
set aggressive-mode password cisco
set aggressive-mode client-endpoint user-fqdn R7
crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 8.9.11.1
set transform-set ESP3DES
match address l2l
R1
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp peer address 8.9.11.7
set aggressive-mode password cisco
set aggressive-mode client-endpoint user-fqdn R1
crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 8.9.11.7
set transform-set ESP3DES
match address l2l
crypto map VPN
R1 (receiving side) debug output:
*Jun 14 13:22:49.619: ISAKMP: local port 500, remote port 500
*Jun 14 13:22:49.619: ISAKMP:(0):insert sa successfully sa = 6705E8E8
*Jun 14 13:22:49.619: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 14 13:22:49.619: ISAKMP:(0): processing ID payload. message ID = 0
*Jun 14 13:22:49.619: ISAKMP (0): ID payload
next-payload : 13
type : 3
* USER FQDN : R7 *
protocol : 17
port : 0
length : 10
*Jun 14 13:22:49.619: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 14 13:22:49.619: ISAKMP:(0): processing vendor id payload
...
**Jun 14 13:22:49.623: ISAKMP:(0):SA using tunnel password as pre-shared
key.*
*Jun 14 13:22:49.623: ISAKMP:(0): local preshared key found
*Jun 14 13:22:49.623: ISAKMP : Scanning profiles for xauth ...
*Jun 14 13:22:49.623: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 10 policy
*Jun 14 13:22:49.623: ISAKMP: encryption 3DES-CBC
*Jun 14 13:22:49.623: ISAKMP: hash SHA
*Jun 14 13:22:49.623: ISAKMP: default group 2
*Jun 14 13:22:49.623: ISAKMP: auth pre-share
*Jun 14 13:22:49.623: ISAKMP: life type in seconds
*Jun 14 13:22:49.623: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
0x80
*Jun 14 13:22:49.623: ISAKMP:(0):atts are acceptable. Next payload is 0
....
**Jun 14 13:22:49.699: ISAKMP:(1003):SA is doing pre-shared key
authentication using id type ID_FQDN*
*Jun 14 13:22:49.699: ISAKMP (1003): ID payload
next-payload : 10
type : 2
FQDN name : R1
protocol : 0
port : 0
length : 10
*Jun 14 13:22:49.699: ISAKMP:(1003):Total payload length: 10
*Jun 14 13:22:49.699: ISAKMP:(1003): sending packet to 8.9.11.7 my_port 500
peer_port 500 (R) AG_INIT_EXCH
*Jun 14 13:22:49.699: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 14 13:22:49.699: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 14 13:22:49.699: ISAKMP:(1003):Old State = IKE_READY New State =
IKE_R_AM2
R1#sh crypto isakmp peers 8.9.11.7
Peer: 8.9.11.7 Port: 500 Local: 8.9.11.1
* Phase1 id: R7*
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
