I believe this works because you are setting the IP address in the "crypto iskamp peer address" command. R1 knows the IP address of the remote peer by nature of receiving packets from it (source IP address in the IP header). Therefore, even though the IKE ID is set to FQDN, R1 can see that packets are sourced from R7's IP address and matches that IP address with the one in the isakmp peer statement.
I might be wrong, but that is what makes sense to me. On Tue, Jun 19, 2012 at 3:32 PM, Imre Oszkar <[email protected]> wrote: > Hi Kings, > > I have changed my config on R1 (hub) to dynamic crypto map. I have got > exactly the same result. > > crypto config: > > ! > > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > crypto isakmp identity hostname > ! > crypto isakmp peer address 8.9.11.7 > set aggressive-mode password cisco > set aggressive-mode client-endpoint user-fqdn R1 > ! > ! > > crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac > ! > crypto dynamic-map DYN 10 > > set transform-set ESP3DES > match address l2l > ! > ! > crypto map VPN 10 ipsec-isakmp dynamic DYN > > > debug snippet: > > *Jun 19 11:28:34.463: ISAKMP:(1003):SA is doing pre-shared key > authentication using id type ID_FQDN > *Jun 19 11:28:34.463: ISAKMP (1003): ID payload > next-payload : 10 > type : 2 > FQDN name : R1 > protocol : 0 > port : 0 > length : 10 > *Jun 19 11:28:34.463: ISAKMP:(1003):Total payload length: 10 > *Jun 19 11:28:34.463: ISAKMP:(1003): sending packet to 8.9.11.7 my_port 500 > peer_port 500 (R) AG_INIT_EXCH > *Jun 19 11:28:34.463: ISAKMP:(1003):Sending an IKE IPv4 Packet. > *Jun 19 11:28:34.467: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH > *Jun 19 11:28:34.467: ISAKMP:(1003):Old State = IKE_READY New State = > IKE_R_AM2 > > > Tunnel is UP: > > R1#sh crypto session de > Crypto session current status > > Interface: FastEthernet0/0 > Uptime: 00:04:55 > > Session status: UP-ACTIVE > Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none) > Phase1_id: R7 > Desc: (none) > > > > On Tue, Jun 19, 2012 at 12:27 AM, Kingsley Charles > <[email protected]> wrote: >> >> Let me give my understanding on aggressive which might be useful for this >> topic. >> >> Aggressive mode sends the IKE ID in clear text. Hence the peer, can use >> the clear text IKE ID to get the PSK and hence we can use hostname when >> configuring PSKs. In the case, of Main mode we need the PSK to be configured >> with address as it needed for shared secret generation. >> >> Now, ideally this is how Aggressive mode is meant to be used: >> >> There should be a hub & spoke topology by using dynamic crypto maps on the >> hub >> Most of the spokes have dynamic address. >> Hence we configure aggressive mode and use dynamic crypto map on the hub. >> The hub has psk configured for all spokes with hostnames. >> The spokes sends IKE IDs in hostnames as they use dynamic address which >> might keep changing >> The spoke should have psk configured for the hub with address has hub >> always a static address. >> >> >> It is recommended to configure psk with hostnames on hub as the spokes IP >> address will keep changing. So here don't need a dns server or host mapping >> on the hub, as always spokes initiates the traffic. >> >> >> Problem arises when we try to have both sides to use psk with hostnames >> with regular site to site VPN without dynamic crypto maps. Now the initiator >> will fail to initiate the tunnel as it can't find a matching psk for peer >> address configured under the crypto map. If we configure for dns or >> configure manual mapping it wil work. But I have seen it working without the >> mapping also. Safer always have the mapping. >> >> >> >> >> With regards >> Kings >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
