Real-Time Resolution for IPsec Tunnel Peer


First Published: November 3, 2003
Last Updated: July 31, 2009

After a user specifies a host name (instead of an IP address) for remote IP Security (IPsec) peer, the Real-Time Resolution for IPsec Tunnel Peer feature allows the host name to be domain name server (DNS) resolved before the router establishes the IPsec tunnel. Thus, the router can immediately discover whether the IP address of the peer has changed.

Finding Feature Information

For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Real-Time Resolution for IPsec Tunnel Peer" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.

Contents

Restrictions for Real-Time Resolution for IPsec Tunnel Peer

Information About Real-Time Resolution for IPsec Tunnel Peer

How to Configure Real-Time Resolution

Configuration Examples for Real-Time Resolution

Additional References

Feature Information for Real-Time Resolution for IPsec Tunnel Peer

Restrictions for Real-Time Resolution for IPsec Tunnel Peer

Secure DNS Requirement

It is recommended that you use this feature only with secure DNS and when the DNS responses can be authenticated. Otherwise, an attacker can spoof or forge DNS responses and have access to Internet Key Exchange (IKE) authentication data, such as a certificate. If an attacker has a certificate that is trusted by the initiating host, the attacker can successfully establish Phase 1 IKE security association (SA), or the attacker can try to guess the preshared key that is shared between the initiator and the actual responder.

DNS Initiator

DNS names resolution for remote IPsec peers will work only if they are used as an initiator. The first packet that is to be encrypted will trigger a DNS lookup; after the DNS lookup is complete, subsequent packets will trigger IKE.

Information About Real-Time Resolution for IPsec Tunnel Peer

To configure real-time resolution for your IPsec peer, you should understand the following concept:

Benefits of Real-Time Resolution Via Secure DNS

Benefits of Real-Time Resolution Via Secure DNS

When specifying the host name of a remote IPsec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPsec tunnel has been established. Deferring resolution enables the Cisco IOS XE software to detect whether the IP address of the remote IPsec peer has changed. Thus, the software can contact the peer at the new IP address.

If the dynamic keyword is not issued, the host name is resolved immediately after it is specified. So, the Cisco IOS XE software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved.

DNS resolution assures users that their established IPsec tunnel is secure and authenticated.

How to Configure Real-Time Resolution

This section contains the following procedure:

Configuring Real-Time Resolution for IPsec Peers

Configuring Real-Time Resolution for IPsec Peers

Use this task to configure a router to perform real-time DNS resolution with a remote IPsec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPsec tunnel) with the peer.

Prerequisites

Before creating a crypto map, you should perform the following tasks:

Define Internet Security Association Key Management Protocol (ISAKMP) policies.

Define IPsec transform sets.

SUMMARY STEPS

1. enable

2. configure terminal

3. crypto map map-name seq-num ipsec-isakmp

4. match address access-list-id

5. set peer {host-name [dynamic] | ip-address}

6. set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

crypto map map-name seq-num ipsec-isakmp

Example:

Router(config)# crypto map secure_b 10 ipsec-isakmp

Specifies the crypto map entry to create (or modify) and enters crypto map configuration mode.

Step 4 

match address access-list-id

Example:

Router(config-crypto-m)# match address 140

Names an extended access list.

This access list determines which traffic should be protected by IPsec and which traffic should not be protected by IPsec in the context of this crypto map entry.

Step 5 

set peer {host-name [dynamic] | ip-address}

Example:

Router(config-crypto-m)# set peer b.cisco.com dynamic

Specifies a remote IPsec peer.

This is the peer to which IPsec-protected traffic can be forwarded.

dynamic—Allows the host name to be resolved via a DNS lookup just before the router establishes the IPsec tunnel with the remote peer. If this keyword is not specified, the host name will be resolved immediately after the host name is specified.

Repeat for multiple remote peers.

Step 6 

set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]

Example:

Router(config-crypto-m)# set transform-set myset

Specifies which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first).

Troubleshooting Tips

To display crypto map configuration information, use the show crypto map command.

What to Do Next

You need to apply a crypto map set to each interface through which IPsec traffic will flow. Applying the crypto map set to an interface instructs the router to evaluate all the interface's traffic against the crypto map set and to use the specified policy during connection or security association (SA) negotiation on behalf of traffic to be protected by crypto.

Configuration Examples for Real-Time Resolution

This section provides the following configuration example:

Configuring Real-Time Resolution for an IPsec Peer: Example

Configuring Real-Time Resolution for an IPsec Peer: Example

Figure 1 and the following example illustrate how to create a crypto map that configures the host name of a remote IPsec peer to DNS resolved via a DNS lookup right before the Cisco IOS XE software attempts to establish a connection with that peer.

Figure 1 Real-Time Resolution Sample Topology


! Configure the initiating router.
hostname a.cisco.com
ip domain name cisco.com
ip name server 10.0.0.1 
! 
crypto map secure_b 10 ipsec-isakmp
  match address 140
  set peer b.cisco.com dynamic 
  set transform-set xset
interface serial1
  ip address 10.10.0.1
  crypto map secure_b
access-list 140 permit ...
!
! Configure the responding router (the remote IPSec peer).
hostname b.cisco.com
!
crypto map secure_a 10 ipsec-isakmp
  match address 150
  set peer 10.10.0.1
  set transform-set
interface serial0/1
  ip address 10.0.0.1
  crypto map secure_a
access-list 150 ...

! DNS server configuration

b.cisco.com 10.0.0.1       # the address of serial0/1 of b.cisco.com

Additional References

The following sections provide references related to Real-Time Resolution for IPsec Tunnel Peer.

Related Documents

Related Topic
Document Title

Crypto maps

"Configuring Security for VPNs with IPsec" module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

ISAKMP policies

"Configuring Internet Key Exchange for IPsec VPNs" module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity

IPsec and IKE configuration commands

Cisco IOS Security Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature


MIBs

MIBs
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Real-Time Resolution for IPsec
Tunnel Peer

Table 1 lists the release history for this feature.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.


Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.


Table 1 Feature Information for Real-Time Resolution for IPsec Tunnel Peer

Feature Name
Releases
Feature Information

Real-Time Resolution for IPsec Tunnel Peer

Cisco IOS XE Release 2.1

After a user specifies a host name (instead of an IP address) for remote IP Security (IPsec) peer, this feature allows the host name to be domain name server (DNS) resolved before the router establishes the IPsec tunnel. Thus, the router can immediately discover whether the IP address of the peer has changed.

The following commands were introduced or modified: set peer (IPsec).