Re: ISAKMP host identity

From: Chen Kwong Wai William (kwchen@netvigator.com)
Date: Sat Sep 06 2003 - 00:54:06 GMT-3

• Next message: Kurt Kruegel: "Re: ISAKMP host identity"
• Previous message: Alec: "multicast group emulation"
• Maybe in reply to: Chen Kwong Wai William: "ISAKMP host identity"
• Next in thread: Kurt Kruegel: "Re: ISAKMP host identity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

    Thx for your reply, but I add the local host to "ip host", but same
problem.

    Anyone here tried working of IPSEC with hostname, please kindly provide
me a working example.

Best Regards,
William

----- Original Message -----
From: "Micah Byers" <mbyers@gt001.gramtel.net>
To: "Chen Kwong Wai William" <kwchen@netvigator.com>;
<ccielab@groupstudy.com>
Sent: Saturday, September 06, 2003 2:05 AM
Subject: RE: ISAKMP host identity

> Chen,
>
> I didn't take the time to lab this up but I believe you are running
into problems because your hostnames are not set on both sides. You set the
alternate hostnames on either side but you didn't set it up on the local
side. Try adding the hostnames in for the local peer address as well so it
can assign the proper hostname for negotiation. When the ISAKMP identity is
set to address the local and remote ISAKMP peer name is obviously known
because the addresses must be known to establish the session for
negotiation, but this is different when it is set to use the hostname.
>
> Micah J. Byers- CCIE #12079
>
> -----Original Message-----
> From: Chen Kwong Wai William [mailto:kwchen@netvigator.com]
> Sent: Thu 9/4/2003 7:40 PM
> To: ccielab@groupstudy.com
> Cc:
> Subject: ISAKMP host identity
>
>
>
> Dear all,
>
> I trie to use hostname as identity in stead of IP address, however, the
> following configure is not works, please help.
>
> RouterA#sh run
> 00:52:52: %SYS-5-CONFIG_I: Configured from console by console
> Building configuration...
>
> Current configuration : 1560 bytes
> !
> version 12.2
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname RouterA
> !
> logging rate-limit console 10 except errors
> !
> ip subnet-zero
> no ip finger
> ip domain-name ip.net
> ip host RouterC.ip.net 192.168.2.3
> !
> no ip dhcp-client network-discovery
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco hostname RouterC.ip.net
> crypto isakmp identity hostname
> !
> !
> crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> mode transport
> !
> crypto map MAP1 10 ipsec-isakmp
> set peer 192.168.2.3
> set transform-set SET1
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 192.168.10.1 255.255.255.0
> ip ospf network point-to-point
> !
> interface Tunnel1
> ip address 172.16.1.1 255.255.255.0
> tunnel source 192.168.1.1
> tunnel destination 192.168.2.3
> crypto map MAP1
> !
> interface Ethernet0
> no ip address
> shutdown
> !
> interface Serial0
> ip address 192.168.1.1 255.255.255.0
> no fair-queue
> crypto map MAP1
> !
> interface Serial1
> no ip address
> shutdown
> !
> interface BRI0
> no ip address
> shutdown
> cdapi buffers regular 0
> cdapi buffers raw 0
> cdapi buffers large 0
> !
> router eigrp 10
> network 172.16.0.0
> auto-summary
> no eigrp log-neighbor-changes
> !
> router ospf 1
> log-adjacency-changes
> network 0.0.0.0 255.255.255.255 area 0
> !
> ip kerberos source-interface any
> ip classless
> ip http server
> !
> access-list 101 permit gre host 192.168.1.1 host 192.168.2.3
> !
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4RouterC#sh run
> Building configuration...
>
> Current configuration : 1709 bytes
> !
> version 12.2
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname RouterC
> !
> logging rate-limit console 10 except errors
> !
> ip subnet-zero
> no ip finger
> ip domain-name ip.net
> ip host RouterA.ip.net 192.168.1.1
> !
> no ip dhcp-client network-discovery
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> crypto isakmp key cisco hostname RouterA.ip.net
> crypto isakmp identity hostname
> !
> !
> crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> mode transport
> !
> crypto map MAP1 10 ipsec-isakmp
> set peer 192.168.1.1
> set transform-set SET1
> match address 101
> !
> !
> !
> !
> interface Loopback0
> ip address 192.168.30.3 255.255.255.0
> ip ospf network point-to-point
> !
> interface Tunnel0
> ip address 172.16.1.2 255.255.255.0
> tunnel source 192.168.2.3
> tunnel destination 192.168.1.1
> crypto map MAP1
> !
> interface Tunnel9
> no ip address
> !
> interface Serial0
> ip address 192.168.2.3 255.255.255.0
> no fair-queue
> crypto map MAP1
> !
> interface Serial1
> no ip address
> shutdown
> !
> interface Serial2
> no ip address
> shutdown
> !
> interface Serial3
> no ip address
> shutdown
> !
> interface TokenRing0
> no ip address
> shutdown
> !
> interface BRI0
> no ip address
> shutdown
> isdn x25 static-tei 0
> cdapi buffers regular 0
> cdapi buffers raw 0
> cdapi buffers large 0
> !
> router eigrp 10
> network 172.16.0.0
> auto-summary
> no eigrp log-neighbor-changes
> !
> router ospf 1
> log-adjacency-changes
> network 0.0.0.0 255.255.255.255 area 0
> !
> ip kerberos source-interface any
> ip classless
> ip http server
> !
> access-list 101 permit gre host 192.168.2.3 host 192.168.1.1
> !
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> login
> !
> end
> login
> !
> end
>
> 00:41:47: ISAKMP: received ke message (1/1)
> 00:41:47: ISAKMP: local port 500, remote port 500
> 00:41:47: ISAKMP (0:1): No Cert or pre-shared address key.
> 00:41:47: ISAKMP (0:1): Can not start Main mode
> 00:41:47: ISAKMP: 192.168.2.3 not in host cache
> 00:41:47: ISAKMP (0:1): Can not start aggressive mode.
> 00:41:47: ISAKMP (0:1): purging SA.
> 00:41:47: ISAKMP (0:1): purging node 1237511114
> 00:42:17: ISAKMP: received ke message (3/1)
> 00:42:17: ISAKMP: ignoring request to send delete notify (no ISAKMP sa)
src
> 192.168.1.1 dst 192.168.2.3 for SPI 0x0
>
> --- William
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Kurt Kruegel: "Re: ISAKMP host identity"
• Previous message: Alec: "multicast group emulation"
• Maybe in reply to: Chen Kwong Wai William: "ISAKMP host identity"
• Next in thread: Kurt Kruegel: "Re: ISAKMP host identity"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:24 GMT-3