Hi Eugene, Sorry if I seemed a little rough on my answer, it was not the intention. This is a good question after all.
I`m just trying to be more active on the forum so I can learn better, I just took my first attempt and I failed so it`s always good to see all the discussions here because it helps everyone on the path. After all we are on the same boat. =) BR, Bruno Silva. Em 19/06/2012, às 01:42, Eugene Pefti escreveu: > Well, this was not my question, Bruno ;) > It was Imre who started this thread and I tried to understand what was going > on. > Imre, what do you have in your crypto map for the peer? I’m almost positive > it’s an IP address and as he stated there’s neither DNS server nor IP host > mapping configured > > Eugene > > From: [email protected] > [mailto:[email protected]] On Behalf Of Bruno Silva > Sent: Monday, June 18, 2012 7:15 PM > To: ccie security > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > Hi Eugene, > > Sorry, again, as other times I have put myself ahead of everything. When you > configure your crypto map to apply in your interface you have to put the "set > peer" command with the ip address, unless you have a DNS server configured > for it to resolve the hostname. > > So again, there are 2 different sessions here, first you configure the > "crypto isakmp key [key] host [hostname], the other section is you > configuring your crypto map: > > crypto map l2l 10 ipsec-isakp > set transform [transform-set] > match address [acl] > set peer [peer ip address] --->>> here you can only put a > hostname if you have a dns configured, this is how the initiator and > responder matches the ip address with the hostname. > > Again, unless I am wrong this is how you configured your VPN, if you did put > a hostname instead of the ip address then you have a dns server configured on > your router. > > Hopefully this solves your question. > > BR, > Bruno Silva. > > Em 18/06/2012, às 22:04, Eugene Pefti escreveu: > > > Hi Bruno, > Haven’t we seen the debugs where the initiator sends its hostname as an ID > not the IP address? The main question is how the responder knows the IP > address of the initiator. > > Eugene > > From: [email protected] > [mailto:[email protected]] On Behalf Of Bruno Silva > Sent: Sunday, June 17, 2012 11:38 PM > To: ccie security > Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > Hi, > > When u have aggressive mode u exchange messages with the ids in cleartext > while performing dh, i believe that's the main reason why you don't have to > have a dns server configured in order to make it work. > > If it was main mode it would not work because when the isakmp responder > receives a main mode proposal from initiator it would require knowing the psk > in advance but in this case the responder do not know the id of the initiator > yet so it has to select the ip address of the initiator as the id, in this > case even if u have configured the hostname as the id it would use the ip > address for the tunnel names, that is not the case with aggressive mode > because the responder knows the id either if it's the hostname or the ip > address. > > Br, > Bruno silva > > Enviado via iPhone > > Em 15/06/2012, às 14:54, Imre Oszkar <[email protected]> escreveu: > > I don't have anything else on the routers..interface config and routing, it's > a clean setup just to play with the aggressive mode. > Even if I had a wildcard preshared key, hostname is used as the IKE > identity so should not match on an address based wildcard. > At least this is what I would expect. > > > > On Fri, Jun 15, 2012 at 1:06 AM, Eugene Pefti <[email protected]> wrote: > Doesn’t make sense to me either. > It's like you mentioned DNS or "ip host" entry that resolves hostname to IP. > Any leftovers "crypto isakmp peer hostname" by any chance ? Or a wild card > 0.0.0.0 pre-shared key ? > What happens if you remove the part for aggressive mode ? Does R1 > authenticate R7 ? > I remember there was a trick in one of the labs and even an error in the > solution guide but in your case it is kind of academic. > > From: Imre Oszkar <[email protected]> > Date: Thursday, June 14, 2012 2:57 PM > To: ccie security <[email protected]> > Subject: [OSL | CCIE_Security] aggressive mode with hostname IKE ID > > crypto isakmp peer address > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check > outwww.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
