Hi Joe, I agree, the PSK is matched based on the initiator IP address which means that the IKE ID is not taken into consideration by the receiver or maybe aggressive mode has a fallback mechanism to IP address? or maybe it is a bug?
On Tue, Jun 19, 2012 at 12:44 PM, Joe Astorino <[email protected]>wrote: > I believe this works because you are setting the IP address in the > "crypto iskamp peer address" command. R1 knows the IP address of the > remote peer by nature of receiving packets from it (source IP address > in the IP header). Therefore, even though the IKE ID is set to FQDN, > R1 can see that packets are sourced from R7's IP address and matches > that IP address with the one in the isakmp peer statement. > > I might be wrong, but that is what makes sense to me. > > On Tue, Jun 19, 2012 at 3:32 PM, Imre Oszkar <[email protected]> wrote: > > Hi Kings, > > > > I have changed my config on R1 (hub) to dynamic crypto map. I have got > > exactly the same result. > > > > crypto config: > > > > ! > > > > crypto isakmp policy 10 > > encr 3des > > authentication pre-share > > group 2 > > crypto isakmp identity hostname > > ! > > crypto isakmp peer address 8.9.11.7 > > set aggressive-mode password cisco > > set aggressive-mode client-endpoint user-fqdn R1 > > ! > > ! > > > > crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac > > ! > > crypto dynamic-map DYN 10 > > > > set transform-set ESP3DES > > match address l2l > > ! > > ! > > crypto map VPN 10 ipsec-isakmp dynamic DYN > > > > > > debug snippet: > > > > *Jun 19 11:28:34.463: ISAKMP:(1003):SA is doing pre-shared key > > authentication using id type ID_FQDN > > *Jun 19 11:28:34.463: ISAKMP (1003): ID payload > > next-payload : 10 > > type : 2 > > FQDN name : R1 > > protocol : 0 > > port : 0 > > length : 10 > > *Jun 19 11:28:34.463: ISAKMP:(1003):Total payload length: 10 > > *Jun 19 11:28:34.463: ISAKMP:(1003): sending packet to 8.9.11.7 my_port > 500 > > peer_port 500 (R) AG_INIT_EXCH > > *Jun 19 11:28:34.463: ISAKMP:(1003):Sending an IKE IPv4 Packet. > > *Jun 19 11:28:34.467: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, > IKE_AM_EXCH > > *Jun 19 11:28:34.467: ISAKMP:(1003):Old State = IKE_READY New State = > > IKE_R_AM2 > > > > > > Tunnel is UP: > > > > R1#sh crypto session de > > Crypto session current status > > > > Interface: FastEthernet0/0 > > Uptime: 00:04:55 > > > > Session status: UP-ACTIVE > > Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none) > > Phase1_id: R7 > > Desc: (none) > > > > > > > > On Tue, Jun 19, 2012 at 12:27 AM, Kingsley Charles > > <[email protected]> wrote: > >> > >> Let me give my understanding on aggressive which might be useful for > this > >> topic. > >> > >> Aggressive mode sends the IKE ID in clear text. Hence the peer, can use > >> the clear text IKE ID to get the PSK and hence we can use hostname when > >> configuring PSKs. In the case, of Main mode we need the PSK to be > configured > >> with address as it needed for shared secret generation. > >> > >> Now, ideally this is how Aggressive mode is meant to be used: > >> > >> There should be a hub & spoke topology by using dynamic crypto maps on > the > >> hub > >> Most of the spokes have dynamic address. > >> Hence we configure aggressive mode and use dynamic crypto map on the > hub. > >> The hub has psk configured for all spokes with hostnames. > >> The spokes sends IKE IDs in hostnames as they use dynamic address which > >> might keep changing > >> The spoke should have psk configured for the hub with address has hub > >> always a static address. > >> > >> > >> It is recommended to configure psk with hostnames on hub as the spokes > IP > >> address will keep changing. So here don't need a dns server or host > mapping > >> on the hub, as always spokes initiates the traffic. > >> > >> > >> Problem arises when we try to have both sides to use psk with hostnames > >> with regular site to site VPN without dynamic crypto maps. Now the > initiator > >> will fail to initiate the tunnel as it can't find a matching psk for > peer > >> address configured under the crypto map. If we configure for dns or > >> configure manual mapping it wil work. But I have seen it working > without the > >> mapping also. Safer always have the mapping. > >> > >> > >> > >> > >> With regards > >> Kings > >> > >> > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
