cciesec2be: isakmp profiles

isakmp profiles are used when you have multiple tunnels and need to personalize phase1 details

isakmp policies are still needed (you cannot set group, hash etc in a isakmp profile)

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd8034bd59.html

USELESS, because of the keyring, example w/ hub using crypto dynamic map and isakmp profiles.

spokes are using static configuration

HUB

crypto keyring 1
pre-shared-key address 1.1.1.2 key cisco2
pre-shared-key address 1.1.1.3 key cisco3
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
group 2
crypto isakmp profile 2
keyring 1
match identity address 1.1.1.2 255.255.255.255
crypto isakmp profile 3
keyring 1
match identity address 1.1.1.3 255.255.255.255
!
!
crypto ipsec transform-set des esp-des esp-md5-hmac
!
crypto dynamic-map 1 1
set transform-set des
set isakmp-profile 2
crypto dynamic-map 1 2
set transform-set des
set isakmp-profile 3
!
!
crypto map 1 1 ipsec-isakmp dynamic 1

when peer 1.1.1.3 starts the tunnel:

*Mar 1 00:19:34.627: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 1 00:19:34.627: ISAKMP:(0):found peer pre-shared key matching 1.1.1.3

*Mar 1 00:19:34.631: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 00:19:34.631: ISAKMP: encryption DES-CBC
*Mar 1 00:19:34.631: ISAKMP: hash SHA
*Mar 1 00:19:34.631: ISAKMP: default group 2
*Mar 1 00:19:34.631: ISAKMP: auth pre-share
*Mar 1 00:19:34.631: ISAKMP: life type in seconds
*Mar 1 00:19:34.631: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:19:34.631: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Mar 1 00:19:34.631: ISAKMP:(0):atts are not acceptable.

*Mar 1 00:19:34.631: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
*Mar 1 00:19:34.631: ISAKMP: encryption DES-CBC
*Mar 1 00:19:34.631: ISAKMP: hash SHA
*Mar 1 00:19:34.631: ISAKMP: default group 2
*Mar 1 00:19:34.631: ISAKMP: auth pre-share
*Mar 1 00:19:34.631: ISAKMP: life type in seconds
*Mar 1 00:19:34.631: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 00:19:34.631: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar 1 00:19:34.727: ISAKMP:(0):: peer matches 3 profile
*Mar 1 00:19:34.727: ISAKMP:(1002):Found ADDRESS key in keyring 1

cciesec2be

lunedì 25 aprile 2011

isakmp profiles

Nessun commento:

Posta un commento