From: Micah Byers (mbyers@gt001.gramtel.net)
Date: Fri Sep 05 2003 - 15:05:47 GMT-3
Chen,
I didn't take the time to lab this up but I believe you are running into problems because your hostnames are not set on both sides. You set the alternate hostnames on either side but you didn't set it up on the local side. Try adding the hostnames in for the local peer address as well so it can assign the proper hostname for negotiation. When the ISAKMP identity is set to address the local and remote ISAKMP peer name is obviously known because the addresses must be known to establish the session for negotiation, but this is different when it is set to use the hostname.
Micah J. Byers- CCIE #12079
-----Original Message-----
From: Chen Kwong Wai William [mailto:kwchen@netvigator.com]
Sent: Thu 9/4/2003 7:40 PM
To: ccielab@groupstudy.com
Cc:
Subject: ISAKMP host identity
Dear all,
I trie to use hostname as identity in stead of IP address, however, the
following configure is not works, please help.
RouterA#sh run
00:52:52: %SYS-5-CONFIG_I: Configured from console by console
Building configuration...
Current configuration : 1560 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterA
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
ip domain-name ip.net
ip host RouterC.ip.net 192.168.2.3
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco hostname RouterC.ip.net
crypto isakmp identity hostname
!
!
crypto ipsec transform-set SET1 esp-des esp-md5-hmac
mode transport
!
crypto map MAP1 10 ipsec-isakmp
set peer 192.168.2.3
set transform-set SET1
match address 101
!
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
tunnel source 192.168.1.1
tunnel destination 192.168.2.3
crypto map MAP1
!
interface Ethernet0
no ip address
shutdown
!
interface Serial0
ip address 192.168.1.1 255.255.255.0
no fair-queue
crypto map MAP1
!
interface Serial1
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router eigrp 10
network 172.16.0.0
auto-summary
no eigrp log-neighbor-changes
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip kerberos source-interface any
ip classless
ip http server
!
access-list 101 permit gre host 192.168.1.1 host 192.168.2.3
!
!
line con 0
transport input none
line aux 0
line vty 0 4RouterC#sh run
Building configuration...
Current configuration : 1709 bytes
!
version 12.2
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RouterC
!
logging rate-limit console 10 except errors
!
ip subnet-zero
no ip finger
ip domain-name ip.net
ip host RouterA.ip.net 192.168.1.1
!
no ip dhcp-client network-discovery
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco hostname RouterA.ip.net
crypto isakmp identity hostname
!
!
crypto ipsec transform-set SET1 esp-des esp-md5-hmac
mode transport
!
crypto map MAP1 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set SET1
match address 101
!
!
!
!
interface Loopback0
ip address 192.168.30.3 255.255.255.0
ip ospf network point-to-point
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 192.168.2.3
tunnel destination 192.168.1.1
crypto map MAP1
!
interface Tunnel9
no ip address
!
interface Serial0
ip address 192.168.2.3 255.255.255.0
no fair-queue
crypto map MAP1
!
interface Serial1
no ip address
shutdown
!
interface Serial2
no ip address
shutdown
!
interface Serial3
no ip address
shutdown
!
interface TokenRing0
no ip address
shutdown
!
interface BRI0
no ip address
shutdown
isdn x25 static-tei 0
cdapi buffers regular 0
cdapi buffers raw 0
cdapi buffers large 0
!
router eigrp 10
network 172.16.0.0
auto-summary
no eigrp log-neighbor-changes
!
router ospf 1
log-adjacency-changes
network 0.0.0.0 255.255.255.255 area 0
!
ip kerberos source-interface any
ip classless
ip http server
!
access-list 101 permit gre host 192.168.2.3 host 192.168.1.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
login
!
end
00:41:47: ISAKMP: received ke message (1/1)
00:41:47: ISAKMP: local port 500, remote port 500
00:41:47: ISAKMP (0:1): No Cert or pre-shared address key.
00:41:47: ISAKMP (0:1): Can not start Main mode
00:41:47: ISAKMP: 192.168.2.3 not in host cache
00:41:47: ISAKMP (0:1): Can not start aggressive mode.
00:41:47: ISAKMP (0:1): purging SA.
00:41:47: ISAKMP (0:1): purging node 1237511114
00:42:17: ISAKMP: received ke message (3/1)
00:42:17: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src
192.168.1.1 dst 192.168.2.3 for SPI 0x0
--- William
_______________________________________________________________________
You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:23 GMT-3