If you have mixed policies where you have pre-share-key and rsa VPN clients, you better use ''crypto isakmp identity auto''

Federico.

If I am not mistaken, the "auto" parameter is not supported in the IOS.  It is supported on the ASA.  I think the options for the IOS are IP (default), hostname or domain name.

Correction, the last option is distinguished name of the router certificate for the identity, not domain name.

Thanks a lot for help so far. I've forgotten to state the rest of the configuration, kindly see attached appropriate files.

After initializing a tunnel I got the following:

SPOKE#ping 10.1.6.1 source 10.1.7.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echoes to 10.1.6.1, timeout is 2 seconds:

Packet sent with a source address 10.1.7.1

.....

Seccess rate is 0 percent (0/5)

HUB#show crypto isakmp sa

dst                                    src                                   state                         conn-id slot status

10.1.5.1                             10.1.5.2                            MM_SA_SETUP                 1    0 ACTIVE

I believe you still have the statement crypto isakmp identity hostname in your configurations.  Did you try removing that statement from both configurations?

Looking closer at your configs, it looks like you may have flipped the "hub" and "spoke" references.  For example, the crypto map on your spoke indicates it is the hub,  but the interesting traffic access-list is called Spoke-ACL and the crypto map refers to Hub-ACL.  You might want to just line up all those references to make sure that all the hub references are on the hub router and the spoke references are on the spoke router.

crypto map Hub_map 10 ipsec-isakmp
set peer 10.1.5.1
set transform-set Hub.tset
set pfs group2
match address Hub-ACL
!        
ip access-list extended Spoke-ACL
permit ip 10.1.7.0 0.0.0.255 10.1.6.0 0.0.0.255
!

I labbed this up to see if I could determine what was not working.  I used this example on CCO.

http://www.cisco.com/application/pdf/paws/46402/16b.pdf

The main thing is to generate a general public key on each router, then copy that key to the other router for use in the public keychain.  I used this command:

It did not matter which crypto isakmp identity I used.  I tried all three, hostname, IP, and dn, and they all worked when applied to both routers.

Also, FYI, there is an odd error message saying that rsa-encr is not supported with hardware encryption.  Apparently that's a cosmetic error that has no impact.

Attached are the configs to your scenario.

Hello fellows,

thanks a lot for your engagement in this matter.Although, I think this is very interesting feature that might be useful in practice very much.I corrected configurations (with more intuitive names for "crypto-maps, GRE ACLs, transform sets,..."). I will try to explain as far as I can:

I read that it is possible to create labeled (named) RSA key-pair on router and to use that key-pair for authentication (ISAKMP/IKE Phase 1). Actually, very useful thing with this is that you can create and use different key-par for every single VPN peer (not using the very same key-pair on the Hub site towards all Spoke sites). 

Our Example:

Hub(config)#crypto key generate rsa general-keys label Towards_Spoke_key modulus 1024

.......

Hub#sho cry key mypubkey rsa

.........

Key name:Towards_Spoke_key

OMITED

Key is not exportable.

Key data:

  ............................................

  ............................................

  ............................................

  ............................................

  ............................................  0001

Key name: Towards_Spoke_key.server

  Temporary key

  Usage:Encryption key

  Key is not exportable.

  Key data:

  ................................................

  ................................................

  ................................................

  .................................... 0001

The coresponding configuration will be created at the Spoke side.

Conclusion

----------------

When using the "Towards_Spoke_key" key-pair in following configuration:

!

crypto key pubkey-chain rsa

named key spoke encryption

address 10.1.5.2

key-string

  OMITED

the IPSec tunnel cannot establish by no means! What is more interesting creating the un-labeled RSA key-pair (meaning that Router will name it by default as a juncture the IPSec tunnel works perfectly!

Thanks in advance.

From what I interpret in the command references, the label parameter is used to specify the name of the certificate server when using PKI.  It looks to me like you have to use the FQDN of the router with encrypted nonces.

Please remember to rate posts that are helpful to you.

After certain corrections I created new configurations (kindly see attached "HUB_new.txt" and "SPOKE_new.txt").

After triggering the tunnel, following appears:

SPOKE#ping 10.1.3.1 source 10.1.4.1

Sending 5, 100-byte ICMP Echos to 10.1.3.1, timeout is 2 seconds:

Packet sent with a source address of 10.1.4.1

.....

Succes rate is 0 percent (0/5)

HUB#show crypto isakmp sa

dst               src               state                         conn-id   slot   status

10.1.1.1        10.1.1.2        MM_SA_SETUP                 1      0   ACTIVE

The very same result appears when I use:

HUB/SPOKE(config)#crypto isakmp identity dn

Seems to me there is not resolution of this issue?!

Thanks in advance.

When you generate each public key it has to be retained and copied to the opposite router. Please follow these instructions and let me know if this works for you.  Please generate the keys on the routers, do not use the output in these examples, as the key has to be generated from each router.  Also do not use the label parameter.  The public keys should automatically be given the FQDN of each router.

ON THE HUB ENTER THE FOLLOWING:

hub(config)#crypto key generate rsa
The name for the keys will be: hub.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
Generating RSA keys ...
[OK]

hub(config)#^Z
hub#
hub#show crypto key mypubkey rsa
% Key pair was generated at: 00:09:04 UTC Mar 1 1993
Key name: hub.example.com
Usage:    General Purpose Key
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E9007B E5CD7DC8
6E1C0423 92044254 92C972AD 0CCE9796 86797EAA B6C4EFF0 0F0A5378 6AFAE43B
3A2BD92F 98039DAC 08741E82 5D9053C4 D9CFABC1 AB54E0E2 BB020301 0001

COPY THIS KEY DATA FOR HUB TO NOTEPAD

ON SPOKE ENTER THE FOLLOWING:

spoke(config)#crypto key generate rsa
The name for the keys will be: spoke.example.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
Generating RSA keys ...
[OK]

spoke(config)#^Z

spoke#show crypto key mypubkey rsa
Key name: spoke.example.com
Key usage: general purpose
Key source: manually entered
Key data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DC3DDC 59885F14
1AB30DCB 794AB5C7 82D918DE FC7ADB76 B0B9DD1A ABAF4884 009E758C 4064C699
3BC9D17E C47581DC 50220CB9 31E267F8 0259C640 F8DE4169 1F020301 0001

COPY THIS KEY DATA FOR SPOKE TO NOTEPAD SEPARATE FROM HUB KEY DATA

spoke(config)#crypto key pubkey-chain rsa
spokeconfig-pubkey-chain)#named-key hub.example.com
spoke(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number .

...

CUT AND PASTE THE HUB KEY DATA HERE, PRESS ENTER
TYPE quit AND PRESS ENTER

spoke#show crypto key pubkey-chain rsa
Key name: hub.example.com
Key usage: general purpose
Key source: manually entered
Key data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E9007B E5CD7DC8
6E1C0423 92044254 92C972AD 0CCE9796 86797EAA B6C4EFF0 0F0A5378 6AFAE43B
3A2BD92F 98039DAC 08741E82 5D9053C4 D9CFABC1 AB54E0E2 BB020301 0001

GO BACK TO HUB CONSOLE AND ENTER THE FOLLOWING:

hub(config)#crypto key pubkey-chain rsa
hub(config-pubkey-chain)#named-key spoke.example.com
hub(config-pubkey-key)#key-string
Enter a public key as a hexidecimal number ....

CUT AND PASTE THE SPOKE KEY DATA HERE, PRESS ENTER
TYPE quit AND PRESS ENTER

hub#show crypto key pubkey-chain rsa
Key name: spoke.example.com
Key usage: general purpose
Key source: manually entered
Key data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DC3DDC 59885F14
1AB30DCB 794AB5C7 82D918DE FC7ADB76 B0B9DD1A ABAF4884 009E758C 4064C699
3BC9D17E C47581DC 50220CB9 31E267F8 0259C640 F8DE4169 1F020301 0001

Hello, your advise works perfectly. Actually, I asked is there any chance that "labeled" RSA key-pairs could be configured. Just to emphasize that functionality of configuring labeled RSA key-pairs is that on a Central (Hub) location we could configure different keys for every single IPSec peer (in that very case we could change configuration on Hub location for certain IPSec peer and not affecting other peers; not to mention that from Security perspective it is more reliable to have unique key for every IPSec peer).

Regards

I understand what you would like to do.  Based on my research, the exchange of encrypted nonces does not provide the option to label the keys.  As mentioned in my prior post, the label parameter is meant for use with PKI.

IMHO, if you plan to use encrypted nonces with more than two devices, it will be easier to have only one key per device to manage. I felt it was enough of a challenge to make sure I had the right key on the right router when I had only two routers to worry about! 

Please consider that your question has been answered and please rate the response.

Thanks