From: Justin Menga (Justin.Menga@nz.logical.com)
Date: Wed Dec 25 2002 - 06:47:08 GMT-3
Hi,
When you are using pre-shared keys, using an ISAKMP identity of hostname is
only supported when using aggressive mode during ISAKMP phase 1
negotiations. Cisco IOS (except for recent releases) does not support the
initiation of aggressive mode, only response to aggressive mode, therefore
if you have two Cisco routers in a VPN connection, the ISAKMP phase 1
negotiations will always be in main mode.
Regards,
Justin
-----Original Message-----
From: Richard Hanks [mailto:ccieingroup@hotmail.com]
Sent: Tuesday, December 24, 2002 12:58 PM
To: ccielab@groupstudy.com
Subject: IPSec identity question?
Hi Guys,
For preparing the lab test, I did some practices about IPSec on my routers.
When I used the ip address to build the peer relationship, everything works
fine. But when I replaced the "ip address" to the hostname + identity, no
matter what I tried, the isakmp peer can not be built. Could you give me
some hints or advices about my configuration? Thanks a lot and Merry
Christmas!
R4(e0:10.0.0.4)------IPSec--------(e0:10.0.0.5)R5
R5:
hostname r5
ip host r4.cisco.com 10.0.0.4
ip domain-name cisco.com
!
crypto isakmp policy 10
authentication pre-share
encryption des
!
crypto isakmp key cisco hostname r4.cisco.com ( I also tried the r4 here)
crypto isakmp identity hostname
!
crypto ipsec transform-set trans1 esp-des
!
crypto map map1 10 ipsec-isakmp
set peer 10.0.0.4 (when set the r4.cisco.com, which was replaced by the ip
automatically)
set transform-set trans1
match address 100
!
interface Ethernet0
ip address 10.0.0.5 255.255.255.0
no ip mroute-cache
crypto map map1
access-list 100 permit icmp any any
R4:
hostname r4
ip host r5.cisco.com 10.0.0.5
ip domain-name cisco.com
!
crypto isakmp policy 10
authentication pre-share
encryption des
!
crypto isakmp key cisco hostname r5.cisco.com ( I also tried the r5 here)
crypto isakmp identity hostname
!
crypto ipsec transform-set trans1 esp-des
!
crypto map map1 10 ipsec-isakmp
set peer 10.0.0.5
set transform-set trans1
match address 100
!
interface Ethernet0
ip address 10.0.0.4 255.255.255.0
no ip mroute-cache
crypto map map1
access-list 100 permit icmp any any
After I ping 10.0.0.5 from R4. It is .....
r4#sh cry isa sa
dst src state conn-id slot
10.0.0.5 10.0.0.4 AG_INIT_EXCH 1 0
r4#p 10.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds: .....
Success rate is 0 percent (0/5) r4# *Mar 1 01:04:38: IPSEC(sa_request): ,
(key eng. msg.) src= 10.0.0.4, dest= 10.0.0.5,
src_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
dest_proxy= 0.0.0.0/0.0.0.0/1/0 (type=4),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0xB1B026B(186319467), conn_id= 0, keysize= 0, flags= 0x4004 *Mar 1
01:04:38: ISAKMP: received ke message (1/1) *Mar 1 01:04:40: ISAKMP (1): ID
payload
next-payload : 0
type : 2
protocol : 17
port : 500
length : 16
*Mar 1 01:04:40: ISAKMP (1): Total payload length: 20
*Mar 1 01:04:40: ISAKMP (0:1): beginning Aggressive Mode exchange *Mar 1
01:04:40: ISAKMP (1): sending packet to 10.0.0.5 (I) AG_INIT_EXCH *Mar 1
01:04:40: ISAKMP (1): received packet from 10.0.0.5 (I) AG_INIT_EXCH *Mar 1
01:04:40: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
failed with peer at 10.0.0.5 r4# .
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:52 GMT-3