From: Chen Kwong Wai William (kwchen@netvigator.com)
Date: Sat Sep 06 2003 - 13:13:26 GMT-3
However, My configuration use pre-shared key.
-- William
----- Original Message -----
From: "Kurt Kruegel" <kurt@cybernex.net>
To: "Chen Kwong Wai William" <kwchen@netvigator.com>; "Micah Byers"
<mbyers@gt001.gramtel.net>
Cc: <ccielab@groupstudy.com>
Sent: Saturday, September 06, 2003 11:57 AM
Subject: Re: ISAKMP host identity
> try generating a new rsa key.
> the key is generated based on the fqdn ......
>
> ----- Original Message -----
> From: "Chen Kwong Wai William" <kwchen@netvigator.com>
> To: "Micah Byers" <mbyers@gt001.gramtel.net>
> Cc: <ccielab@groupstudy.com>
> Sent: Friday, September 05, 2003 11:54 PM
> Subject: Re: ISAKMP host identity
>
>
> > Hi,
> >
> > Thx for your reply, but I add the local host to "ip host", but same
> > problem.
> >
> > Anyone here tried working of IPSEC with hostname, please kindly
> provide
> > me a working example.
> >
> > Best Regards,
> > William
> >
> > ----- Original Message -----
> > From: "Micah Byers" <mbyers@gt001.gramtel.net>
> > To: "Chen Kwong Wai William" <kwchen@netvigator.com>;
> > <ccielab@groupstudy.com>
> > Sent: Saturday, September 06, 2003 2:05 AM
> > Subject: RE: ISAKMP host identity
> >
> >
> > > Chen,
> > >
> > > I didn't take the time to lab this up but I believe you are
running
> > into problems because your hostnames are not set on both sides. You set
> the
> > alternate hostnames on either side but you didn't set it up on the local
> > side. Try adding the hostnames in for the local peer address as well so
> it
> > can assign the proper hostname for negotiation. When the ISAKMP
identity
> is
> > set to address the local and remote ISAKMP peer name is obviously known
> > because the addresses must be known to establish the session for
> > negotiation, but this is different when it is set to use the hostname.
> > >
> > > Micah J. Byers- CCIE #12079
> > >
> > > -----Original Message-----
> > > From: Chen Kwong Wai William [mailto:kwchen@netvigator.com]
> > > Sent: Thu 9/4/2003 7:40 PM
> > > To: ccielab@groupstudy.com
> > > Cc:
> > > Subject: ISAKMP host identity
> > >
> > >
> > >
> > > Dear all,
> > >
> > > I trie to use hostname as identity in stead of IP address, however,
> the
> > > following configure is not works, please help.
> > >
> > > RouterA#sh run
> > > 00:52:52: %SYS-5-CONFIG_I: Configured from console by console
> > > Building configuration...
> > >
> > > Current configuration : 1560 bytes
> > > !
> > > version 12.2
> > > no service single-slot-reload-enable
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname RouterA
> > > !
> > > logging rate-limit console 10 except errors
> > > !
> > > ip subnet-zero
> > > no ip finger
> > > ip domain-name ip.net
> > > ip host RouterC.ip.net 192.168.2.3
> > > !
> > > no ip dhcp-client network-discovery
> > > !
> > > crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key cisco hostname RouterC.ip.net
> > > crypto isakmp identity hostname
> > > !
> > > !
> > > crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> > > mode transport
> > > !
> > > crypto map MAP1 10 ipsec-isakmp
> > > set peer 192.168.2.3
> > > set transform-set SET1
> > > match address 101
> > > !
> > > !
> > > !
> > > !
> > > interface Loopback0
> > > ip address 192.168.10.1 255.255.255.0
> > > ip ospf network point-to-point
> > > !
> > > interface Tunnel1
> > > ip address 172.16.1.1 255.255.255.0
> > > tunnel source 192.168.1.1
> > > tunnel destination 192.168.2.3
> > > crypto map MAP1
> > > !
> > > interface Ethernet0
> > > no ip address
> > > shutdown
> > > !
> > > interface Serial0
> > > ip address 192.168.1.1 255.255.255.0
> > > no fair-queue
> > > crypto map MAP1
> > > !
> > > interface Serial1
> > > no ip address
> > > shutdown
> > > !
> > > interface BRI0
> > > no ip address
> > > shutdown
> > > cdapi buffers regular 0
> > > cdapi buffers raw 0
> > > cdapi buffers large 0
> > > !
> > > router eigrp 10
> > > network 172.16.0.0
> > > auto-summary
> > > no eigrp log-neighbor-changes
> > > !
> > > router ospf 1
> > > log-adjacency-changes
> > > network 0.0.0.0 255.255.255.255 area 0
> > > !
> > > ip kerberos source-interface any
> > > ip classless
> > > ip http server
> > > !
> > > access-list 101 permit gre host 192.168.1.1 host 192.168.2.3
> > > !
> > > !
> > > line con 0
> > > transport input none
> > > line aux 0
> > > line vty 0 4RouterC#sh run
> > > Building configuration...
> > >
> > > Current configuration : 1709 bytes
> > > !
> > > version 12.2
> > > no service single-slot-reload-enable
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > no service password-encryption
> > > !
> > > hostname RouterC
> > > !
> > > logging rate-limit console 10 except errors
> > > !
> > > ip subnet-zero
> > > no ip finger
> > > ip domain-name ip.net
> > > ip host RouterA.ip.net 192.168.1.1
> > > !
> > > no ip dhcp-client network-discovery
> > > !
> > > crypto isakmp policy 10
> > > hash md5
> > > authentication pre-share
> > > crypto isakmp key cisco hostname RouterA.ip.net
> > > crypto isakmp identity hostname
> > > !
> > > !
> > > crypto ipsec transform-set SET1 esp-des esp-md5-hmac
> > > mode transport
> > > !
> > > crypto map MAP1 10 ipsec-isakmp
> > > set peer 192.168.1.1
> > > set transform-set SET1
> > > match address 101
> > > !
> > > !
> > > !
> > > !
> > > interface Loopback0
> > > ip address 192.168.30.3 255.255.255.0
> > > ip ospf network point-to-point
> > > !
> > > interface Tunnel0
> > > ip address 172.16.1.2 255.255.255.0
> > > tunnel source 192.168.2.3
> > > tunnel destination 192.168.1.1
> > > crypto map MAP1
> > > !
> > > interface Tunnel9
> > > no ip address
> > > !
> > > interface Serial0
> > > ip address 192.168.2.3 255.255.255.0
> > > no fair-queue
> > > crypto map MAP1
> > > !
> > > interface Serial1
> > > no ip address
> > > shutdown
> > > !
> > > interface Serial2
> > > no ip address
> > > shutdown
> > > !
> > > interface Serial3
> > > no ip address
> > > shutdown
> > > !
> > > interface TokenRing0
> > > no ip address
> > > shutdown
> > > !
> > > interface BRI0
> > > no ip address
> > > shutdown
> > > isdn x25 static-tei 0
> > > cdapi buffers regular 0
> > > cdapi buffers raw 0
> > > cdapi buffers large 0
> > > !
> > > router eigrp 10
> > > network 172.16.0.0
> > > auto-summary
> > > no eigrp log-neighbor-changes
> > > !
> > > router ospf 1
> > > log-adjacency-changes
> > > network 0.0.0.0 255.255.255.255 area 0
> > > !
> > > ip kerberos source-interface any
> > > ip classless
> > > ip http server
> > > !
> > > access-list 101 permit gre host 192.168.2.3 host 192.168.1.1
> > > !
> > > !
> > > line con 0
> > > transport input none
> > > line aux 0
> > > line vty 0 4
> > > login
> > > !
> > > end
> > > login
> > > !
> > > end
> > >
> > > 00:41:47: ISAKMP: received ke message (1/1)
> > > 00:41:47: ISAKMP: local port 500, remote port 500
> > > 00:41:47: ISAKMP (0:1): No Cert or pre-shared address key.
> > > 00:41:47: ISAKMP (0:1): Can not start Main mode
> > > 00:41:47: ISAKMP: 192.168.2.3 not in host cache
> > > 00:41:47: ISAKMP (0:1): Can not start aggressive mode.
> > > 00:41:47: ISAKMP (0:1): purging SA.
> > > 00:41:47: ISAKMP (0:1): purging node 1237511114
> > > 00:42:17: ISAKMP: received ke message (3/1)
> > > 00:42:17: ISAKMP: ignoring request to send delete notify (no ISAKMP
sa)
> > src
> > > 192.168.1.1 dst 192.168.2.3 for SPI 0x0
> > >
> > > --- William
> > >
> > >
> > >
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:24 GMT-3