Re: ezvpn doubt from Radioactive Frog on 2011-02-07 (Ccielab archives 02/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Tue, 8 Feb 2011 00:20:56 +1100

Imran,

IC your point...
these 2 are different things either. using group for isakmp auth or
traditional method (with 0.0.0.0 keyword).
It's looks like if you don't want to use key+IP then you can just get on
with group key <XXXX> option.

So in a nutshell, we still have 2 options. your original question was what
is difference between using

cypto isakmp key cisco123 address x.x.x.x
vs
crypto isakmp client configuration group cisco1 > key cisco

Answer:
first option authenticates key+ip addie or with 0.0.0.0 just IP address and
second option only key.

Looks like it may have been added later for isakmp modular configuration.

FROG(config)#
FROG(config)#crypto isakmp policy 1
FROG(config-isakmp)#hash md5
FROG(config-isakmp)#authentication pre-share
FROG(config-isakmp)#crypto isakmp key cisco123 address 99.99.99.1
FROG(config)#crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
FROG(config)#crypto isakmp client configuration address-pool local RTP-POOL
FROG(config)#!
FROG(config)#crypto ipsec transform-set rtpset esp-des esp-md5-hmac
FROG(cfg-crypto-trans)#!
FROG(cfg-crypto-trans)#
FROG(cfg-crypto-trans)#exit
FROG(config)#
FROG(config)#
FROG(config)#do sh ver | in 12.4
Cisco IOS Software, 3700 Software (C3725-ADVENTERPRISEK9-M), Version
12.4(15)T5, RELEASE SOFTWARE (fc4)
ROM: 3700 Software (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T5, RELEASE
SOFTWARE (fc4)
FROG(config)#
FROG(config)#do sh run | in ipsec
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
FROG(config)#
FROG(config)#do sh run | in crypto
crypto isakmp policy 1
crypto isakmp key cisco123 address 99.99.99.1
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local RTP-POOL
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
FROG(config)#
FROG(config)#
FROG(config)#

On Mon, Feb 7, 2011 at 11:32 PM, imran ali <immrccie_at_gmail.com> wrote:

> Thanks for reply
>
> what i was asking was in traditional ezvpn config we dont issue this
> command
>
> crypto isakmp key 0 cisco address 0.0.0.0 0.0.0.0
>
> as now isakmp authentication is handled by group configuration ie
>
> *crypto isakmp client configuration group cisco*
> key cisco
>
> i have tested DVTI and it works without " crypto isakmp key " command .
>
> i guess the command is their in doc by mistake .
>
>
>
> On Mon, Feb 7, 2011 at 3:20 PM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:
>
>>
>> Imran,
>>
>> There are 2 types of authentications in DVTI.
>> a) Pre-shared
>> b) Certificates.
>>
>> Your example is using pre-shared key.
>> Typically, pre-shard key authenticaiton to work a common keys are defined
>> on each routers (server & client). The key definition binds the key to the
>> remote peer's ISAKMP identity. ISAKMP identity should be unique for each
>> site that connects to central/hub site (kind of best practice).
>>
>>
>> The syntax of remove vpn client to authenticate is:
>> *crypto isakmp key <key string> <ip address>
>> **
>> *in your example - let's look closely what you've:
>>
>> >>>crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0 "
>>
>> Hint: you're using DVTI not SVTI. In dvti you know what the connecting
>> party's IP address is. If you don't know the addres you (coz its Dynamic,
>> like client using an ISP with dynamic ip address), you are basically
>> ignoring the IP address field by just putting 0.0.0.0 but only
>> authenticating ISAKMP phase with "key string".
>>
>> In other words, 0.0.0.0 simply means that you are only authenticating "Key
>> string" and not key string+IPaddress.
>>
>>
>> HTH
>>
>>
>> On Mon, Feb 7, 2011 at 8:27 PM, imran ali <immrccie_at_gmail.com> wrote:
>>
>>> Hi group,
>>>
>>> refering to doc link
>>>
>>> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html
>>>
>>> i don't understand why " crypto isakmp key 0 cisco123 address 0.0.0.0
>>> 0.0.0.0 " command is used . IN a traditional ezpvn scenario
>>>
>>> we just need group authentication and xauth authentication.
>>>
>>>
>>>
>>> any suggestions ?
>>>
>>> here is the config
>>>
>>>
>>>
>>> hostname c3725-21
>>> !
>>> aaa new-model
>>> !
>>> aaa authentication login default local
>>> aaa authorization network default local
>>> !
>>> aaa session-id common
>>> !
>>> resource policy
>>> !
>>> ip subnet-zero
>>> ip cef
>>> !
>>> !
>>> username cisco privilege 15 password 0 cisco
>>> !
>>> policy-map FOO
>>> class class-default
>>> shape average 1280000
>>> !
>>> !
>>> crypto isakmp policy 1
>>> encr 3des
>>> authentication pre-share
>>> group 2
>>> *crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0*
>>> crypto isakmp keepalive 10
>>> !
>>> *crypto isakmp client configuration group cisco*
>>> key cisco
>>> dns 6.0.0.2
>>> wins 7.0.0.1
>>> domain cisco.com
>>> pool dpool
>>> acl 101
>>> crypto isakmp profile vi
>>> match identity group cisco
>>> isakmp authorization list default
>>> client configuration address respond
>>> virtual-template 1
>>> !
>>> !
>>> crypto ipsec transform-set set esp-3des esp-sha-hmac
>>> !
>>> crypto ipsec profile vi
>>> set transform-set set
>>> set isakmp-profile vi
>>> !
>>> interface FastEthernet0/0
>>> ip address 10.0.149.221 255.255.255.0
>>> duplex auto
>>> speed auto
>>> !
>>> interface FastEthernet0/1
>>> ip address 192.168.20.21 255.255.255.0
>>> duplex auto
>>> speed 100
>>> !
>>> !
>>> interface Virtual-Template1 type tunnel
>>> ip unnumbered FastEthernet0/0
>>> tunnel source FastEthernet0/0
>>> tunnel mode ipsec ipv4
>>> tunnel protection ipsec profile vi
>>> service-policy output FOO
>>> !
>>> router eigrp 1
>>> network 192.168.1.0
>>> network 192.168.20.0
>>> no auto-summary
>>> !
>>> ip local pool dpool 5.0.0.1 5.0.0.3
>>> ip classless
>>> ip route 0.0.0.0 0.0.0.0 10.0.149.207
>>> !
>>> access-list 101 permit ip 192.168.20.0 0.0.0.255 any
>>> !
>>> control-plane
>>> !
>>> !
>>> end
>>>
>>> C831 Spoke Router with DVTI Configuration
>>>
>>> C1751 Spoke Router with Traditional Easy VPN Configuration
>>> version 12.3
>>> !
>>> hostname c1751-16
>>> !
>>> enable password lab
>>> !
>>> username cisco privilege 15 password 0 cisco
>>> !
>>> no aaa new-model
>>> ip subnet-zero
>>> !
>>> !
>>> ip cef
>>> ip domain name cisco.com
>>> !
>>> crypto isakmp policy 1
>>> encr 3des
>>> authentication pre-share
>>> group 2
>>> crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
>>> crypto isakmp keepalive 10
>>> !
>>> crypto ipsec client ezvpn ez
>>> connect manual
>>> group cisco key cisco
>>> local-address FastEthernet0/0
>>> mode client
>>> peer 10.0.149.221
>>> !
>>> interface Loopback0
>>> ip address 5.0.0.3 255.255.255.255
>>> !
>>> interface Ethernet0/0
>>> ip address 192.168.16.1 255.255.255.0
>>> half-duplex
>>> crypto ipsec client ezvpn ez inside
>>> !
>>> interface FastEthernet0/0
>>> description $ETH-LAN$$ETH-SW-LAUNCH$
>>> ip address dhcp
>>> speed 100
>>> full-duplex
>>> crypto ipsec client ezvpn ez
>>> !
>>> ip classless
>>> ip route 10.0.149.0 255.255.255.0 dhcp
>>> !
>>> end
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Feb 08 2011 - 00:20:56 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:49 ART