Downloads |
Table Of Contents
Supported Standards, MIBs, and RFCs
Configuring RADIUS Tunnel Attributes
Verifying RADIUS Tunnel Attribute Configurations
set aggressive-mode client-endpoint
IKE: Initiate Aggressive Mode
Feature History
This document describes the IKE: Initiate Aggressive Mode feature in Cisco IOS Release 12.2(8)T. It includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
The IKE: Initiate Aggressive Mode feature allows you to configure Internet Key Exchange (IKE) preshared keys as RADIUS tunnel attributes for IP Security (IPSec) peers. Thus, you can scale your IKE preshared keys in a hub-and-spoke topology.
Although IKE preshared keys are simple to understand and easy to deploy, they do not scale well with an increasing number of users and are therefore prone to security threats. Instead of keeping your preshared keys on the hub router, this feature allows you to scale your preshared keys by storing and retrieving them from an authentication, authorization, and accounting (AAA) server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the Internet Security Association Key Management Policy (ISAKMP) peer policy as a RADIUS tunnel attribute.
RADIUS Tunnel Attributes
To initiate an IKE aggressive mode negotiation, the Tunnel-Client-Endpoint (66) and Tunnel-Password (69) attributes must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload; the Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.
Benefits
The IKE: Initiate Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. This feature is best implemented in a crypto hub-and-spoke scenario, by which the spokes initiate IKE aggressive mode negotiation with the hub by using the preshared keys that are specified as tunnel attributes and stored on the AAA server. This scenario is scalable because the preshared keys are kept at a central repository (the AAA server) and more than one hub router and one application can use the information.
Restrictions
TED Restriction
This feature is not intended to be used with a dynamic crypto map that uses Tunnel Endpoint Discovery (TED) to initiate tunnel setup. TED is useful in configuring a full mesh setup, which requires an AAA server at each site to store the preshared keys for the peers; this configuration is not practical for use with this feature.
Tunnel-Client-Endpoint ID Types
Only the following ID types can be used in this feature:
•
•
•
Related Documents
•
•
Supported Platforms
This feature runs on all platforms that support IPSec and public key infrastructure (PKI).
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Determining Platform Support Through Cisco Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
None
MIBs
None
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
•
•
Prerequisites
Before configuring the Initiate Aggressive Mode IKE feature, you must perform the following tasks:
•
•
•
•
•
For information on completing these tasks, refer to the chapters "Configuring Authentication," "Configuring IPSec Network Security," and "Configuring Internet Key Exchange Security Protocol" in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuration Tasks
See the following sections for configuration tasks for the IKE: Initiate Aggressive Mode feature. Each task in the list is identified as either required or optional.
•
•
Configuring RADIUS Tunnel Attributes
To configure the Tunnel-Client-Endpoint and Tunnel-Password attributes within the ISAKMP peer configuration, use the following commands beginning in global configuration mode:
Verifying RADIUS Tunnel Attribute Configurations
To verify that the Tunnel-Client-Endpoint and Tunnel-Password attributes have been configured within the ISAKMP peer policy, use the show running-config global configuration command.
Troubleshooting Tips
To troubleshoot the IKE: Initiate Aggressive Mode feature, use the following debug commands in EXEC mode:
Configuration Examples
This section provides the following configuration examples:
Hub Configuration Example
The following example shows how to configure a hub for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:
!The AAA configurations are as follows:aaa new-modelaaa authorization network ike group radiusaaa authentication login default group radius!! The Radius configurations are as follows:radius-server host 1.1.1.1 auth-port 1645 acct-port 1646radius-server key rad123!! The IKE configurations are as follows:crypto isakmp policy 1authentication pre-share!! The IPSec configurations are as follows:crypto ipsec transform-set trans1 esp-3des esp-sha-hmac!crypto dynamic-map Dmap 10set transform-set trans1!crypto map Testtag isakmp authorization list ikecrypto map Testtag 10 ipsec-isakmp dynamic Dmap!interface Ethernet0ip address 4.4.4.1 255.255.255.0crypto map Testtag!interface Ethernet1ip address 2.2.2.1 255.255.255.0Spoke Configuration Example
The following example shows how to configure a spoke for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:
!The IKE configurations are as follows:crypto isakmp policy 1authentication pre-share!! The IPSec configurations are as follows:crypto ipsec transform-set trans1 esp-3des esp-sha-hmacaccess-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255!! Initiate aggressive mode using Radius tunnel attributescrypto isakmp peer address 4.4.4.1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123!crypto map Testtag 10 ipsec-isakmpset peer 4.4.4.1set transform-set trans1match address 101!interface Ethernet0ip address 5.5.5.1 255.255.255.0crypto map Testtag!interface Ethernet1ip address 3.3.3.1 255.255.255.0RADIUS User Profile Example
The following is an example of a user profile on a RADIUS server that supports the Tunnel-Client-Endpoint and Tunnel-Password attributes:
user@cisco.com Password = "cisco", Service-Type = OutboundTunnel-Medium-Type = :1:IP,Tunnel-Type = :1:ESP,Cisco:Avpair = "ipsec:tunnel-password=cisco123",Cisco:Avpair = "ipsec:key-exchange=ike"Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
•
crypto isakmp peer
To enable an IP Security (IPSec) peer for Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto isakmp peer command in global configuration mode. To disable this functionality, use the no form of this command.
crypto isakmp peer {ip-address ip-address | fqdn fqdn}
no crypto isakmp peer {ip-address ip-address | fqdn fqdn}
Syntax Description
ip-address ip-address
The IP address of the peer router.
fqdn fqdn
The fully-qualified domain name of the peer router.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling this command, you can use the set aggressive-mode client-endpoint and set aggressive-mode password commands to specify RADIUS tunnel attributes in the ISAKMP peer policy for IPSec peers.
Instead of keeping your preshared keys on the hub router, you can scale your preshared keys by storing and retrieving them from a AAA server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the ISAKMP peer policy as a RADIUS tunnel attribute.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 4.4.4.1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
crypto map isakmp authorization list
Enables IKE querying of AAA for tunnel attributes in aggressive mode.
set aggressive-mode client-endpoint
To specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode client-endpoint client-endpoint
no set aggressive-mode client-endpoint client-endpoint
Syntax Description
Defaults
The Tunnel-Client-Endpoint attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set aggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload;
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 4.4.4.1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
Specifies the Tunnel-Password attribute within an ISAKMP peer configuration.
set aggressive-mode password
To specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode password password
no set aggressive-mode password password
Syntax Description
password
The password that is used to authenticate the peer to a remote server. The tunnel password is used as the Internet Key Exchange (IKE) preshared key.
Defaults
The Tunnel-Password attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set aggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 4.4.4.1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123
Related Commands
Enables an IPSec peer for IKE querying of AAA for tunnel attributes in aggressive mode.
Specifies the Tunnel-Client-Endpoint attribute within an ISAKMP peer configuration