Hi Joe,

I agree, the PSK is matched based on the initiator IP address which means
that the IKE ID is not taken into consideration by the receiver or maybe
aggressive mode has a fallback mechanism to IP address?  or maybe it is a
bug?


On Tue, Jun 19, 2012 at 12:44 PM, Joe Astorino <[email protected]>wrote:

> I believe this works because you are setting the IP address in the
> "crypto iskamp peer address" command.  R1 knows the IP address of the
> remote peer by nature of receiving packets from it (source IP address
> in the IP header).  Therefore, even though the IKE ID is set to FQDN,
> R1 can see that packets are sourced from R7's IP address and matches
> that IP address with the one in the isakmp peer statement.
>
> I might be wrong, but that is what makes sense to me.
>
> On Tue, Jun 19, 2012 at 3:32 PM, Imre Oszkar <[email protected]> wrote:
> > Hi Kings,
> >
> > I have changed my config on R1 (hub) to dynamic crypto map. I have got
> > exactly the same result.
> >
> > crypto config:
> >
> > !
> >
> > crypto isakmp policy 10
> >  encr 3des
> >  authentication pre-share
> >  group 2
> > crypto isakmp identity hostname
> > !
> > crypto isakmp peer address 8.9.11.7
> >  set aggressive-mode password cisco
> >  set aggressive-mode client-endpoint user-fqdn R1
> > !
> > !
> >
> > crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac
> > !
> > crypto dynamic-map DYN 10
> >
> >  set transform-set ESP3DES
> >  match address l2l
> > !
> > !
> > crypto map VPN 10 ipsec-isakmp dynamic DYN
> >
> >
> > debug snippet:
> >
> > *Jun 19 11:28:34.463: ISAKMP:(1003):SA is doing pre-shared key
> > authentication using id type ID_FQDN
> > *Jun 19 11:28:34.463: ISAKMP (1003): ID payload
> >         next-payload : 10
> >         type         : 2
> >         FQDN name    : R1
> >         protocol     : 0
> >         port         : 0
> >         length       : 10
> > *Jun 19 11:28:34.463: ISAKMP:(1003):Total payload length: 10
> > *Jun 19 11:28:34.463: ISAKMP:(1003): sending packet to 8.9.11.7 my_port
> 500
> > peer_port 500 (R) AG_INIT_EXCH
> > *Jun 19 11:28:34.463: ISAKMP:(1003):Sending an IKE IPv4 Packet.
> > *Jun 19 11:28:34.467: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> > *Jun 19 11:28:34.467: ISAKMP:(1003):Old State = IKE_READY  New State =
> > IKE_R_AM2
> >
> >
> > Tunnel is UP:
> >
> > R1#sh crypto session de
> > Crypto session current status
> >
> > Interface: FastEthernet0/0
> > Uptime: 00:04:55
> >
> > Session status: UP-ACTIVE
> > Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none)
> >       Phase1_id: R7
> >       Desc: (none)
> >
> >
> >
> > On Tue, Jun 19, 2012 at 12:27 AM, Kingsley Charles
> > <[email protected]> wrote:
> >>
> >> Let me give my understanding on aggressive which might be useful for
> this
> >> topic.
> >>
> >> Aggressive mode sends the IKE ID in clear text. Hence the peer, can use
> >> the clear text IKE ID to get the PSK and hence we can use hostname when
> >> configuring PSKs. In the case, of Main mode we need the PSK to be
> configured
> >> with address as it needed for shared secret generation.
> >>
> >> Now, ideally this is how Aggressive mode is meant to be used:
> >>
> >> There should be a hub & spoke topology by using dynamic crypto maps on
> the
> >> hub
> >> Most of the spokes have dynamic address.
> >> Hence we configure aggressive mode and use dynamic crypto map on the
> hub.
> >> The hub has psk configured for all spokes with hostnames.
> >> The spokes sends IKE IDs in hostnames as they use dynamic address which
> >> might keep changing
> >> The spoke should have psk configured for the hub with address has hub
> >> always a static address.
> >>
> >>
> >> It is recommended to configure psk with hostnames on hub as the spokes
> IP
> >> address will keep changing. So here don't need a dns server or host
> mapping
> >> on the hub, as always spokes initiates the traffic.
> >>
> >>
> >> Problem arises when we try to have both sides to use psk with hostnames
> >> with regular site to site VPN without dynamic crypto maps. Now the
> initiator
> >> will fail to initiate the tunnel as it can't find a matching psk for
> peer
> >> address configured under the crypto map. If we configure for dns or
> >> configure manual mapping it wil work. But I have seen it working
> without the
> >> mapping also. Safer always have the mapping.
> >>
> >>
> >>
> >>
> >> With regards
> >> Kings
> >>
> >>
> >
> > _______________________________________________
> > For more information regarding industry leading CCIE Lab training, please
> > visit www.ipexpert.com
> >
> > Are you a CCNP or CCIE and looking for a job? Check out
> > www.PlatinumPlacement.com
>
>
>
> --
> Regards,
>
> Joe Astorino
> CCIE #24347
> http://astorinonetworks.com
>
> "He not busy being born is busy dying" - Dylan
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to