Common, Bruno, you didn't fail. We are all discussing here numerous Cisco pitfalls they threw on us. Sometimes the discussion becomes a verification of our knowledge and validation of Cisco documentation. Keep on ;)
From: [email protected] [mailto:[email protected]] On Behalf Of Bruno Silva Sent: Monday, June 18, 2012 10:27 PM To: ccie security Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID Hi Eugene, Sorry if I seemed a little rough on my answer, it was not the intention. This is a good question after all. I`m just trying to be more active on the forum so I can learn better, I just took my first attempt and I failed so it`s always good to see all the discussions here because it helps everyone on the path. After all we are on the same boat. =) BR, Bruno Silva. Em 19/06/2012, às 01:42, Eugene Pefti escreveu: Well, this was not my question, Bruno ;) It was Imre who started this thread and I tried to understand what was going on. Imre, what do you have in your crypto map for the peer? I'm almost positive it's an IP address and as he stated there's neither DNS server nor IP host mapping configured Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bruno Silva Sent: Monday, June 18, 2012 7:15 PM To: ccie security Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID Hi Eugene, Sorry, again, as other times I have put myself ahead of everything. When you configure your crypto map to apply in your interface you have to put the "set peer" command with the ip address, unless you have a DNS server configured for it to resolve the hostname. So again, there are 2 different sessions here, first you configure the "crypto isakmp key [key] host [hostname], the other section is you configuring your crypto map: crypto map l2l 10 ipsec-isakp set transform [transform-set] match address [acl] set peer [peer ip address] --->>> here you can only put a hostname if you have a dns configured, this is how the initiator and responder matches the ip address with the hostname. Again, unless I am wrong this is how you configured your VPN, if you did put a hostname instead of the ip address then you have a dns server configured on your router. Hopefully this solves your question. BR, Bruno Silva. Em 18/06/2012, às 22:04, Eugene Pefti escreveu: Hi Bruno, Haven't we seen the debugs where the initiator sends its hostname as an ID not the IP address? The main question is how the responder knows the IP address of the initiator. Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bruno Silva Sent: Sunday, June 17, 2012 11:38 PM To: ccie security Subject: Re: [OSL | CCIE_Security] aggressive mode with hostname IKE ID Hi, When u have aggressive mode u exchange messages with the ids in cleartext while performing dh, i believe that's the main reason why you don't have to have a dns server configured in order to make it work. If it was main mode it would not work because when the isakmp responder receives a main mode proposal from initiator it would require knowing the psk in advance but in this case the responder do not know the id of the initiator yet so it has to select the ip address of the initiator as the id, in this case even if u have configured the hostname as the id it would use the ip address for the tunnel names, that is not the case with aggressive mode because the responder knows the id either if it's the hostname or the ip address. Br, Bruno silva Enviado via iPhone Em 15/06/2012, às 14:54, Imre Oszkar <[email protected]<mailto:[email protected]>> escreveu: I don't have anything else on the routers..interface config and routing, it's a clean setup just to play with the aggressive mode. Even if I had a wildcard preshared key, hostname is used as the IKE identity so should not match on an address based wildcard. At least this is what I would expect. On Fri, Jun 15, 2012 at 1:06 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Doesn't make sense to me either. It's like you mentioned DNS or "ip host" entry that resolves hostname to IP. Any leftovers "crypto isakmp peer hostname" by any chance ? Or a wild card 0.0.0.0 pre-shared key ? What happens if you remove the part for aggressive mode ? Does R1 authenticate R7 ? I remember there was a trick in one of the labs and even an error in the solution guide but in your case it is kind of academic. From: Imre Oszkar <[email protected]<mailto:[email protected]>> Date: Thursday, June 14, 2012 2:57 PM To: ccie security <[email protected]<mailto:[email protected]>> Subject: [OSL | CCIE_Security] aggressive mode with hostname IKE ID crypto isakmp peer address _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check outwww.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
