IKE: Initiate Aggressive Mode
Feature History
|
|
12.2(8)T |
This feature was introduced. |
This document describes the IKE: Initiate Aggressive Mode feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
•Feature Overview
•Supported Platforms
•Supported Standards, MIBs, and RFCs
•Prerequisites
•Configuration Tasks
•Configuration Examples
•Command Reference, page 7
Feature Overview
The IKE: Initiate Aggressive Mode feature allows you to configure Internet Key Exchange (IKE) preshared keys as RADIUS tunnel attributes for IP Security (IPSec) peers. Thus, you can scale your IKE preshared keys in a hub-and-spoke topology.
Although IKE preshared keys are simple to understand and easy to deploy, they do not scale well with an increasing number of users and are therefore prone to security threats. Instead of keeping your preshared keys on the hub router, this feature allows you to scale your preshared keys by storing and retrieving them from an authentication, authorization, and accounting (AAA) server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the Internet Security Association Key Management Policy (ISAKMP) peer policy as a RADIUS tunnel attribute.
RADIUS Tunnel Attributes
To initiate an IKE aggressive mode negotiation, the Tunnel-Client-Endpoint (66) and Tunnel-Password (69) attributes must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload; the Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.
Benefits
The IKE: Initiate Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. This feature is best implemented in a crypto hub-and-spoke scenario, by which the spokes initiate IKE aggressive mode negotiation with the hub by using the preshared keys that are specified as tunnel attributes and stored on the AAA server. This scenario is scalable because the preshared keys are kept at a central repository (the AAA server) and more than one hub router and one application can use the information.
Restrictions
TED Restriction
This feature is not intended to be used with a dynamic crypto map that uses Tunnel Endpoint Discovery (TED) to initiate tunnel setup. TED is useful in configuring a full mesh setup, which requires an AAA server at each site to store the preshared keys for the peers; this configuration is not practical for use with this feature.
Tunnel-Client-Endpoint ID Types
Only the following ID types can be used in this feature:
•ID_IPV4 (IPV4 address)
•ID_FQDN (fully qualified domain name, for example "foo.cisco.com")
•ID_USER_FQDN (e-mail address)
Related Documents
•Cisco IOS Security Command Reference
Supported Platforms
This feature runs on all platforms that support IPSec and public key infrastructure (PKI).
•Cisco 800 series
•Cisco 805
•Cisco 806
•Cisco 828
•Cisco 1400 series
•Cisco 1600 series
•Cisco 1600-R series
•Cisco 1710
•Cisco 1720
•Cisco 1750
•Cisco 1751
•Cisco 2400 series
•Cisco 2600 series
•Cisco 3620
•Cisco 3640
•Cisco 3660
•Cisco 3725
•Cisco 3745
•Cisco 7100 series
•Cisco 7200 series
•Cisco 7500 series
•Cisco 7700 series
•Cisco MC3810
•Route Processor Module (RPM)
•Universal Route Module (URM)
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
RFCs
•RFC 2409, The Internet Key Exchange
•RFC 2868, RADIUS Attributes for Tunnel Protocol Support
Prerequisites
Before configuring the Initiate Aggressive Mode IKE feature, you must perform the following tasks:
•Configure AAA
•Configure an IPSec Transform
•Configure a Static Crypto Map
•Configure an ISAKMP Policy
•Configure a Dynamic Crypto Map
For information on completing these tasks, refer to the chapters "Configuring Authentication" and "Configuring Internet Key Exchange for IPsec VPN,"
Configuration Tasks
See the following sections for configuration tasks for the IKE: Initiate Aggressive Mode feature. Each task in the list is identified as either required or optional.
•Configuring RADIUS Tunnel Attributes (required)
•Verifying RADIUS Tunnel Attribute Configurations (optional)
Configuring RADIUS Tunnel Attributes
To configure the Tunnel-Client-Endpoint and Tunnel-Password attributes within the ISAKMP peer configuration, use the following commands beginning in global configuration mode:
|
|
|
Step 1 |
Router(config)# crypto map map-name isakmp authorization list list-name
|
Enables IKE querying of AAA for tunnel attributes in aggressive mode. |
Step 2 |
Router(config)# crypto isakmp peer {ip-address ip-address | fqdn fqdn} |
Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode and enters ISAKMP policy configuration mode. |
Step 3 |
Router(config-isakmp)# set aggressive-mode client-endpoint client-endpoint |
Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration. |
Step 4 |
Router(config-isakmp)# set aggressive-mode password password |
Specifies the Tunnel-Password attribute within an ISAKMP peer configuration. |
Verifying RADIUS Tunnel Attribute Configurations
To verify that the Tunnel-Client-Endpoint and Tunnel-Password attributes have been configured within the ISAKMP peer policy, use the show running-config global configuration command.
Troubleshooting Tips
To troubleshoot the IKE: Initiate Aggressive Mode feature, use the following debug commands in EXEC mode:
|
|
Router# debug aaa authorization |
Displays information on AAA authorization. |
Router# debug crypto isakmp |
Displays messages about IKE events. |
Router# debug radius |
Displays information associated with the RADIUS. |
Configuration Examples
This section provides the following configuration examples:
•Hub Configuration Example
•Spoke Configuration Example
•RADIUS User Profile Example
Hub Configuration Example
The following example shows how to configure a hub for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:
!The AAA configurations are as follows:
aaa authorization network ike group radius
aaa authentication login default group radius
! The Radius configurations are as follows:
radius-server host 1.1.1.1 auth-port 1645 acct-port 1646
! The IKE configurations are as follows:
! The IPSec configurations are as follows:
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto dynamic-map Dmap 10
crypto map Testtag isakmp authorization list ike
crypto map Testtag 10 ipsec-isakmp dynamic Dmap
ip address 4.4.4.1 255.255.255.0
ip address 2.2.2.1 255.255.255.0
Spoke Configuration Example
The following example shows how to configure a spoke for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:
!The IKE configurations are as follows:
! The IPSec configurations are as follows:
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255
! Initiate aggressive mode using Radius tunnel attributes
crypto isakmp peer address 4.4.4.1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123
crypto map Testtag 10 ipsec-isakmp
ip address 5.5.5.1 255.255.255.0
ip address 3.3.3.1 255.255.255.0
RADIUS User Profile Example
The following is an example of a user profile on a RADIUS server that supports the Tunnel-Client-Endpoint and Tunnel-Password attributes:
user@cisco.com Password = "cisco", Service-Type = Outbound
Tunnel-Medium-Type = :1:IP,
Cisco:Avpair = "ipsec:tunnel-password=cisco123",
Cisco:Avpair = "ipsec:key-exchange=ike"
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009-2010 Cisco Systems, Inc. All rights reserved.