Let me give my understanding on aggressive which might be useful for this topic.
Aggressive mode sends the IKE ID in clear text. Hence the peer, can use the clear text IKE ID to get the PSK and hence we can use hostname when configuring PSKs. In the case, of Main mode we need the PSK to be configured with address as it needed for shared secret generation. Now, ideally this is how Aggressive mode is meant to be used: - There should be a hub & spoke topology by using dynamic crypto maps on the hub - Most of the spokes have dynamic address. - Hence we configure aggressive mode and use dynamic crypto map on the hub. - The hub has psk configured for all spokes with hostnames. - The spokes sends IKE IDs in hostnames as they use dynamic address which might keep changing - The spoke should have psk configured for the hub with address has hub always a static address. It is recommended to configure psk with hostnames on hub as the spokes IP address will keep changing. So here don't need a dns server or host mapping on the hub, as always spokes initiates the traffic. Problem arises when we try to have both sides to use psk with hostnames with regular site to site VPN without dynamic crypto maps. Now the initiator will fail to initiate the tunnel as it can't find a matching psk for peer address configured under the crypto map. If we configure for dns or configure manual mapping it wil work. But I have seen it working without the mapping also. Safer always have the mapping. With regards Kings On Tue, Jun 19, 2012 at 10:12 AM, Eugene Pefti <[email protected]>wrote: > Well, this was not my question, Bruno ;)**** > > It was Imre who started this thread and I tried to understand what was > going on.**** > > Imre, what do you have in your crypto map for the peer? I’m almost > positive it’s an IP address and as he stated there’s neither DNS server nor > IP host mapping configured**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Bruno Silva > *Sent:* Monday, June 18, 2012 7:15 PM > > *To:* ccie security > *Subject:* Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID* > *** > > ** ** > > Hi Eugene,**** > > ** ** > > Sorry, again, as other times I have put myself ahead of everything. When > you configure your crypto map to apply in your interface you have to put > the "set peer" command with the ip address, unless you have a DNS server > configured for it to resolve the hostname.**** > > ** ** > > So again, there are 2 different sessions here, first you configure the > "crypto isakmp key [key] host [hostname], the other section is you > configuring your crypto map:**** > > ** ** > > crypto map l2l 10 ipsec-isakp**** > > set transform [transform-set]**** > > match address [acl]**** > > set peer [peer ip address] --->>> here you can only put a > hostname if you have a dns configured, this is how the initiator and > responder matches the ip address with the hostname.**** > > ** ** > > Again, unless I am wrong this is how you configured your VPN, if you did > put a hostname instead of the ip address then you have a dns server > configured on your router.**** > > ** ** > > Hopefully this solves your question.**** > > ** ** > > BR, **** > > Bruno Silva.**** > > ** ** > > Em 18/06/2012, às 22:04, Eugene Pefti escreveu:**** > > > > **** > > Hi Bruno,**** > > Haven’t we seen the debugs where the initiator sends its hostname as an ID > not the IP address? The main question is how the responder knows the IP > address of the initiator.**** > > **** > > Eugene**** > > **** > > *From:* [email protected] [ > mailto:[email protected]<[email protected]> > ] *On Behalf Of *Bruno Silva > *Sent:* Sunday, June 17, 2012 11:38 PM > *To:* ccie security > *Subject:* Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID* > *** > > **** > > Hi, **** > > **** > > When u have aggressive mode u exchange messages with the ids in cleartext > while performing dh, i believe that's the main reason why you don't have to > have a dns server configured in order to make it work.**** > > **** > > If it was main mode it would not work because when the isakmp responder > receives a main mode proposal from initiator it would require knowing the > psk in advance but in this case the responder do not know the id of the > initiator yet so it has to select the ip address of the initiator as the > id, in this case even if u have configured the hostname as the id it would > use the ip address for the tunnel names, that is not the case with > aggressive mode because the responder knows the id either if it's the > hostname or the ip address.**** > > **** > > Br,**** > > Bruno silva**** > > > Enviado via iPhone**** > > > Em 15/06/2012, às 14:54, Imre Oszkar <[email protected]> escreveu:**** > > I don't have anything else on the routers..interface config and routing, > it's a clean setup just to play with the aggressive mode. > Even if I had a wildcard preshared key, hostname is used as the IKE > identity so should not match on an address based wildcard. > At least this is what I would expect. > > > **** > > On Fri, Jun 15, 2012 at 1:06 AM, Eugene Pefti <[email protected]> > wrote:**** > > Doesn’t make sense to me either.**** > > It's like you mentioned DNS or "ip host" entry that resolves hostname to > IP. Any leftovers "crypto isakmp peer hostname" by any chance ? Or a wild > card 0.0.0.0 pre-shared key ?**** > > What happens if you remove the part for aggressive mode ? Does R1 > authenticate R7 ?**** > > I remember there was a trick in one of the labs and even an error in the > solution guide but in your case it is kind of academic.**** > > **** > > *From: *Imre Oszkar <[email protected]> > *Date: *Thursday, June 14, 2012 2:57 PM > *To: *ccie security <[email protected]> > *Subject: *[OSL | CCIE_Security] aggressive mode with hostname IKE ID**** > > **** > > crypto isakmp peer address**** > > **** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
