From: Kurt Kruegel (kurt@cybernex.net)
Date: Sat Sep 06 2003 - 00:57:58 GMT-3
try generating a new rsa key.
the key is generated based on the fqdn ......
----- Original Message -----
From: "Chen Kwong Wai William" <kwchen@netvigator.com>
To: "Micah Byers" <mbyers@gt001.gramtel.net>
Cc: <ccielab@groupstudy.com>
Sent: Friday, September 05, 2003 11:54 PM
Subject: Re: ISAKMP host identity
> Hi,
>
> Thx for your reply, but I add the local host to "ip host", but same
> problem.
>
> Anyone here tried working of IPSEC with hostname, please kindly
provide
> me a working example.
>
> Best Regards,
> William
>
> ----- Original Message -----
> From: "Micah Byers" <mbyers@gt001.gramtel.net>
> To: "Chen Kwong Wai William" <kwchen@netvigator.com>;
> <ccielab@groupstudy.com>
> Sent: Saturday, September 06, 2003 2:05 AM
> Subject: RE: ISAKMP host identity
>
>
> > Chen,
> >
> > I didn't take the time to lab this up but I believe you are running
> into problems because your hostnames are not set on both sides. You set
the
> alternate hostnames on either side but you didn't set it up on the local
> side. Try adding the hostnames in for the local peer address as well so
it
> can assign the proper hostname for negotiation. When the ISAKMP identity
is
> set to address the local and remote ISAKMP peer name is obviously known
> because the addresses must be known to establish the session for
> negotiation, but this is different when it is set to use the hostname.
> >
> > Micah J. Byers- CCIE #12079
> >
> > -----Original Message-----
> > From: Chen Kwong Wai William [mailto:kwchen@netvigator.com]
> > Sent: Thu 9/4/2003 7:40 PM
> > To: ccielab@groupstudy.com
> > Cc:
> > Subject: ISAKMP host identity
> >
> >
> >
> > Dear all,
> >
> > I trie to use hostname as identity in stead of IP address, however,
the
> > following configure is not works, please help.
> >
> > RouterA#sh run
> > 00:52:52: %SYS-5-CONFIG_I: Configured from console by console
> > Building configuration...
> >
> > Current configuration : 1560 bytes
> > !
> > version 12.2
> > no service single-slot-reload-enable
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname RouterA
> > !
> > logging rate-limit console 10 except errors
> > !
> > ip subnet-zero
> > no ip finger
> > ip domain-name ip.net
> > ip host RouterC.ip.net 192.168.2.3
> > !
> > no ip dhcp-client network-discovery
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > crypto isakmp key cisco hostname RouterC.ip.net
> > crypto isakmp identity hostname
> > !
> > !
> > crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> > mode transport
> > !
> > crypto map MAP1 10 ipsec-isakmp
> > set peer 192.168.2.3
> > set transform-set SET1
> > match address 101
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 192.168.10.1 255.255.255.0
> > ip ospf network point-to-point
> > !
> > interface Tunnel1
> > ip address 172.16.1.1 255.255.255.0
> > tunnel source 192.168.1.1
> > tunnel destination 192.168.2.3
> > crypto map MAP1
> > !
> > interface Ethernet0
> > no ip address
> > shutdown
> > !
> > interface Serial0
> > ip address 192.168.1.1 255.255.255.0
> > no fair-queue
> > crypto map MAP1
> > !
> > interface Serial1
> > no ip address
> > shutdown
> > !
> > interface BRI0
> > no ip address
> > shutdown
> > cdapi buffers regular 0
> > cdapi buffers raw 0
> > cdapi buffers large 0
> > !
> > router eigrp 10
> > network 172.16.0.0
> > auto-summary
> > no eigrp log-neighbor-changes
> > !
> > router ospf 1
> > log-adjacency-changes
> > network 0.0.0.0 255.255.255.255 area 0
> > !
> > ip kerberos source-interface any
> > ip classless
> > ip http server
> > !
> > access-list 101 permit gre host 192.168.1.1 host 192.168.2.3
> > !
> > !
> > line con 0
> > transport input none
> > line aux 0
> > line vty 0 4RouterC#sh run
> > Building configuration...
> >
> > Current configuration : 1709 bytes
> > !
> > version 12.2
> > no service single-slot-reload-enable
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > !
> > hostname RouterC
> > !
> > logging rate-limit console 10 except errors
> > !
> > ip subnet-zero
> > no ip finger
> > ip domain-name ip.net
> > ip host RouterA.ip.net 192.168.1.1
> > !
> > no ip dhcp-client network-discovery
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > crypto isakmp key cisco hostname RouterA.ip.net
> > crypto isakmp identity hostname
> > !
> > !
> > crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> > mode transport
> > !
> > crypto map MAP1 10 ipsec-isakmp
> > set peer 192.168.1.1
> > set transform-set SET1
> > match address 101
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 192.168.30.3 255.255.255.0
> > ip ospf network point-to-point
> > !
> > interface Tunnel0
> > ip address 172.16.1.2 255.255.255.0
> > tunnel source 192.168.2.3
> > tunnel destination 192.168.1.1
> > crypto map MAP1
> > !
> > interface Tunnel9
> > no ip address
> > !
> > interface Serial0
> > ip address 192.168.2.3 255.255.255.0
> > no fair-queue
> > crypto map MAP1
> > !
> > interface Serial1
> > no ip address
> > shutdown
> > !
> > interface Serial2
> > no ip address
> > shutdown
> > !
> > interface Serial3
> > no ip address
> > shutdown
> > !
> > interface TokenRing0
> > no ip address
> > shutdown
> > !
> > interface BRI0
> > no ip address
> > shutdown
> > isdn x25 static-tei 0
> > cdapi buffers regular 0
> > cdapi buffers raw 0
> > cdapi buffers large 0
> > !
> > router eigrp 10
> > network 172.16.0.0
> > auto-summary
> > no eigrp log-neighbor-changes
> > !
> > router ospf 1
> > log-adjacency-changes
> > network 0.0.0.0 255.255.255.255 area 0
> > !
> > ip kerberos source-interface any
> > ip classless
> > ip http server
> > !
> > access-list 101 permit gre host 192.168.2.3 host 192.168.1.1
> > !
> > !
> > line con 0
> > transport input none
> > line aux 0
> > line vty 0 4
> > login
> > !
> > end
> > login
> > !
> > end
> >
> > 00:41:47: ISAKMP: received ke message (1/1)
> > 00:41:47: ISAKMP: local port 500, remote port 500
> > 00:41:47: ISAKMP (0:1): No Cert or pre-shared address key.
> > 00:41:47: ISAKMP (0:1): Can not start Main mode
> > 00:41:47: ISAKMP: 192.168.2.3 not in host cache
> > 00:41:47: ISAKMP (0:1): Can not start aggressive mode.
> > 00:41:47: ISAKMP (0:1): purging SA.
> > 00:41:47: ISAKMP (0:1): purging node 1237511114
> > 00:42:17: ISAKMP: received ke message (3/1)
> > 00:42:17: ISAKMP: ignoring request to send delete notify (no ISAKMP sa)
> src
> > 192.168.1.1 dst 192.168.2.3 for SPI 0x0
> >
> > --- William
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:24 GMT-3