During the initial step of the connection attempt, the IKE phase 1 process is initiated. There are two separate manners in which authentication can be performed when initiating IKE phase 1:
■ Use of a preshared key for authentication—The VPN Client initiates aggressive mode. Each peer is aware of the key of the other peer. Preshared keys are visible in the running-config of the router or VPN device on which they reside. With this in mind, an optional encrypted preshared key option is available. An accompanying group must be entered in the configuration of the VPN Client. This group name is used to identify the group profile associated with the VPN Client.
■ Use of a digital certificate for authentication—The VPN Client initiates main mode. Digital certificates use Rivest, Shamir, and Adelman (RSA) signatures on Easy VPN Remote devices. This support is provided by an RSA certificate stored in a central repository or on the remote device itself. With digital certificates, an organizational unit of a distinguished name is used to identify the group profile to be used. Cisco recommends a timeout of 40 seconds when using digital certificates with Easy VPN.
When using aggressive mode for connections, the identity of the Cisco IOS VPN device should be changed using the crypto isakmp identity hostname command. Changing the name will have no effect on the certificate authentication via IKE main mode. The crypto isakmp identity command allows the use of an address or a hostname. To set an address, use the following:
BM2821(config)#crypto isakmp identity address
BM2821(config)#crypto isakmp key sharedkeystring address 192.168.1.33
This effectively sets the ISAKMP identity to the specified IP address. To change it to use a hostname instead, use the following:
BM2821(config)#crypto isakmp identity hostname
BM2821(config)#crypto isakmp key sharedkeystring hostname RemoteRouter.example.com BM2821(config)#ip host RemoteRouter.example.com 192.168.1.33
The two configurations essentially have identical results.
Was this article helpful?