Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS Release 15.1M&T

IKE: Initiate Aggressive Mode

Feature History

This document describes the IKE: Initiate Aggressive Mode feature in Cisco IOS Release 12.2(8)T. It includes the following sections:

•Feature Overview

•Supported Platforms

•Supported Standards, MIBs, and RFCs

•Prerequisites

•Configuration Tasks

•Configuration Examples

•Command Reference, page 7

Feature Overview

The IKE: Initiate Aggressive Mode feature allows you to configure Internet Key Exchange (IKE) preshared keys as RADIUS tunnel attributes for IP Security (IPSec) peers. Thus, you can scale your IKE preshared keys in a hub-and-spoke topology.

Although IKE preshared keys are simple to understand and easy to deploy, they do not scale well with an increasing number of users and are therefore prone to security threats. Instead of keeping your preshared keys on the hub router, this feature allows you to scale your preshared keys by storing and retrieving them from an authentication, authorization, and accounting (AAA) server. The preshared keys are stored in the AAA server as Internet Engineering Task Force (IETF) RADIUS tunnel attributes and are retrieved when a user tries to "speak" to the hub router. The hub router retrieves the preshared key from the AAA server and the spokes (the users) initiate aggressive mode to the hub by using the preshared key that is specified in the Internet Security Association Key Management Policy (ISAKMP) peer policy as a RADIUS tunnel attribute.

RADIUS Tunnel Attributes

To initiate an IKE aggressive mode negotiation, the Tunnel-Client-Endpoint (66) and Tunnel-Password (69) attributes must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload; the Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.

Benefits

The IKE: Initiate Aggressive Mode feature allows you to specify RADIUS tunnel attributes for an IPSec peer and to initiate an IKE aggressive mode negotiation with the tunnel attributes. This feature is best implemented in a crypto hub-and-spoke scenario, by which the spokes initiate IKE aggressive mode negotiation with the hub by using the preshared keys that are specified as tunnel attributes and stored on the AAA server. This scenario is scalable because the preshared keys are kept at a central repository (the AAA server) and more than one hub router and one application can use the information.

Restrictions

TED Restriction

This feature is not intended to be used with a dynamic crypto map that uses Tunnel Endpoint Discovery (TED) to initiate tunnel setup. TED is useful in configuring a full mesh setup, which requires an AAA server at each site to store the preshared keys for the peers; this configuration is not practical for use with this feature.

Tunnel-Client-Endpoint ID Types

Only the following ID types can be used in this feature:

•ID_IPV4 (IPV4 address)

•ID_FQDN (fully qualified domain name, for example "foo.cisco.com")

•ID_USER_FQDN (e-mail address)

Related Documents

•Cisco IOS Security Command Reference

Supported Platforms

This feature runs on all platforms that support IPSec and public key infrastructure (PKI).

•Cisco 800 series

•Cisco 805

•Cisco 806

•Cisco 828

•Cisco 1400 series

•Cisco 1600 series

•Cisco 1600-R series

•Cisco 1710

•Cisco 1720

•Cisco 1750

•Cisco 1751

•Cisco 2400 series

•Cisco 2600 series

•Cisco 3620

•Cisco 3640

•Cisco 3660

•Cisco 3725

•Cisco 3745

•Cisco 7100 series

•Cisco 7200 series

•Cisco 7500 series

•Cisco 7700 series

•Cisco MC3810

•Route Processor Module (RPM)

•Universal Route Module (URM)

Determining Platform Support Through Cisco Feature Navigator

Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Cisco Feature Navigator. Cisco Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.

Cisco Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image. You can search by feature or release. Under the release section, you can compare releases side by side to display both the features unique to each software release and the features in common.

To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.

Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Cisco Feature Navigator home page at the following URL:

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

•RFC 2409, The Internet Key Exchange

•RFC 2868, RADIUS Attributes for Tunnel Protocol Support

Prerequisites

Before configuring the Initiate Aggressive Mode IKE feature, you must perform the following tasks:

•Configure AAA

•Configure an IPSec Transform

•Configure a Static Crypto Map

•Configure an ISAKMP Policy

•Configure a Dynamic Crypto Map

For information on completing these tasks, refer to the chapters "Configuring Authentication" and "Configuring Internet Key Exchange for IPsec VPN,"

Configuration Tasks

See the following sections for configuration tasks for the IKE: Initiate Aggressive Mode feature. Each task in the list is identified as either required or optional.

•Configuring RADIUS Tunnel Attributes (required)

•Verifying RADIUS Tunnel Attribute Configurations (optional)

Configuring RADIUS Tunnel Attributes

To configure the Tunnel-Client-Endpoint and Tunnel-Password attributes within the ISAKMP peer configuration, use the following commands beginning in global configuration mode:

Verifying RADIUS Tunnel Attribute Configurations

To verify that the Tunnel-Client-Endpoint and Tunnel-Password attributes have been configured within the ISAKMP peer policy, use the show running-config global configuration command.

Troubleshooting Tips

To troubleshoot the IKE: Initiate Aggressive Mode feature, use the following debug commands in EXEC mode:

Configuration Examples

This section provides the following configuration examples:

•Hub Configuration Example

•Spoke Configuration Example

•RADIUS User Profile Example

Hub Configuration Example

The following example shows how to configure a hub for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:

!The AAA configurations are as follows:

aaa new-model

aaa authorization network ike group radius

aaa authentication login default group radius

!

! The Radius configurations are as follows:

radius-server host 1.1.1.1 auth-port 1645 acct-port 1646

radius-server key rad123

!

! The IKE configurations are as follows:

crypto isakmp policy 1

 authentication pre-share

!

! The IPSec configurations are as follows:

crypto ipsec transform-set trans1 esp-3des esp-sha-hmac

!

crypto dynamic-map Dmap 10

 set transform-set trans1

!

crypto map Testtag isakmp authorization list ike

crypto map Testtag 10 ipsec-isakmp dynamic Dmap

!

interface Ethernet0

 ip address 4.4.4.1 255.255.255.0

 crypto map Testtag

!

interface Ethernet1

 ip address 2.2.2.1 255.255.255.0

Spoke Configuration Example

The following example shows how to configure a spoke for a hub-and-spoke topology that supports aggressive mode using RADIUS tunnel attributes:

!The IKE configurations are as follows:

crypto isakmp policy 1

 authentication pre-share

!

! The IPSec configurations are as follows:

crypto ipsec transform-set trans1 esp-3des esp-sha-hmac

 access-list 101 permit ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255

!

! Initiate aggressive mode using Radius tunnel attributes

crypto isakmp peer address 4.4.4.1

 set aggressive-mode client-endpoint user-fqdn user@cisco.com

 set aggressive-mode password cisco123

!

crypto map Testtag 10 ipsec-isakmp

 set peer 4.4.4.1

 set transform-set trans1

 match address 101

!

interface Ethernet0

 ip address 5.5.5.1 255.255.255.0

 crypto map Testtag

!

interface Ethernet1

 ip address 3.3.3.1 255.255.255.0

RADIUS User Profile Example

The following is an example of a user profile on a RADIUS server that supports the Tunnel-Client-Endpoint and Tunnel-Password attributes:

user@cisco.com  Password = "cisco", Service-Type = Outbound

    Tunnel-Medium-Type = :1:IP,

    Tunnel-Type = :1:ESP,

    Cisco:Avpair = "ipsec:tunnel-password=cisco123",

    Cisco:Avpair = "ipsec:key-exchange=ike" 

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009-2010 Cisco Systems, Inc. All rights reserved.