Configuring Site to Site Vpn Using Hostname Ike Identity

CONFIGURING SITE TO SITE VPN USING HOSTNAME IKE IDENTITY

When crypto peer use Internet Key Exchange (IKE) to establish IPSec associations, each peer sends its IKE identity to the other peer. Depending on how the crypto peer have its IKE identity configured; IKE identity can either use the hostname or the IP address of the crypto peer. The default IKE identity on IOS and adaptive security appliance (ASA) is the IP address. When using pre-shared authentication (PSK), crypto peer will authenticate each other during IKE negotiations using the pre-shared key and the IKE identity (message 5 and 6 when using main mode for IKE). IKE identity on the peer can either be the hostname or the IP address, both peer MUST use the same IKE identity.

IP ADDRESS IKE IDENTITY: Typically used when only one interface will be used by the peer for IKE negotiations and the IP address is known.

HOST NAME IKE IDENTITY: Typically used if more than one interface on the peer might be used for IKE negotiations or if the interface's IP address is unknown (such as with DHCP assigned IP addresses). For a peer with multiple tunnels, using host name as IKE identity can help an administrator to easily identify and grep or view remote peer information when looking at the logs.

CONFIGURATION

The section below shows how to configure the VPN topology below. A VPN tunnel is configured between R2 and R1 using the hostname as the IKE identity, such that after the tunnel is established, an administrator can easily identify , grep or view remote peer information when looking at the syslog .

R1 CONFIGURTAION

!

hostname lagos

!

ip domain name goryeal.com

!

crypto isakmp identity hostname

!

crypto keyring R2

pre-shared-key address 10.10.10.2 key cisco

!

crypto isakmp policy 100

encr aes 256

hash md5

authentication pre-share

group 2

lifetime 7000

!

crypto isakmp profile l2l

description profile for remote site

keyring R2

match identity host abuja.goryeal.com

keepalive 10 retry 3

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map gomap 10 ipsec-isakmp

set peer 10.10.10.2

set transform-set myset

set isakmp-profile l2l

match address vpn

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0/0

ip address 100.100.100.2 255.255.255.0

crypto map gomap

!

ip route 0.0.0.0 0.0.0.0 100.100.100.1

!

ip access-list extended vpn

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

!

R2 CONFIGURTAION

hostname abuja

!

ip domain name goryeal.com

!

crypto isakmp identity hostname

!

crypto keyring R1

pre-shared-key address 100.100.100.2 key cisco

!

crypto isakmp policy 100

encr aes 256

hash md5

authentication pre-share

group 2

lifetime 7000

!

crypto isakmp profile l2l

description profile for remote site

keyring R1

match identity host lagos.goryeal.com

keepalive 10 retry 2

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

!

crypto map gomap 10 ipsec-isakmp

set peer 100.100.100.2

set transform-set myset

set isakmp-profile l2l

match address vpn

!

!

interface Loopback1

ip address 2.2.2.2 255.255.255.0

!

interface Ethernet0/0

ip address 10.10.10.2 255.255.255.0

crypto map gomap

!

ip route 0.0.0.0 0.0.0.0 10.10.10.1

!

ip access-list extended vpn

permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

!

TUNNEL ESTABLISHEMENT VERIFICATON

lagos#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Ethernet0/0

Profile: l2l

Uptime: 00:02:30

Session status: UP-ACTIVE

Peer: 10.10.10.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: abuja.goryeal.com

Desc: (none)

IKEv1 SA: local 100.100.100.2/500 remote 10.10.10.2/500 Active

Capabilities:D connid:1001 lifetime:01:54:09

IPSEC FLOW: permit ip 1.1.1.0/255.255.255.0 2.2.2.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2849

Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2849

lagos#sh crypto isakmp peers

Peer: 10.10.10.2 Port: 500 Local: 100.100.100.2

Phase1 id: abuja.goryeal.com

abuja#sh cry session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Ethernet0/0

Profile: l2l

Uptime: 00:02:10

Session status: UP-ACTIVE

Peer: 100.100.100.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: lagos.goryeal.com

Desc: (none)

IKEv1 SA: local 10.10.10.2/500 remote 100.100.100.2/500 Active

Capabilities:D connid:1001 lifetime:01:54:29

IPSEC FLOW: permit ip 2.2.2.0/255.255.255.0 1.1.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2869

Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) KB Vol Rekey Disabled/2869

abuja#sh cry isakmp peers

Peer: 100.100.100.2 Port: 500 Local: 10.10.10.2

Phase1 id: lagos.goryeal.com

GORI DAWODU

CISCO TAC VPN, SAN JOSE