Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

VPN Gateway Device Configured as Responder in Crypto Negotiation Contents Document ID: 113158

VPN Gateway Device Configured as Responder in
Crypto Negotiation
Document ID: 113158
Contents
Introduction
Prerequisites
Requirements
Components Used
Related Products
Conventions
Background Information
Benefits of the IKE Responder−Only Mode Feature
A Router to be configured as a Responder−Only device in a crypto negotiation
An ASA to be configured as a Responder−Only device in a crypto negotiation
Related Information
Introduction
This document provides information on how to configure a VPN gateway device to always act as a responder
in an IKE negotiation. The device will respond to any crypto negotiations initiated by its peers.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
• Cisco Router with Cisco IOS® Software Release 12.4(24)T and later
• Cisco Adaptive Security Appliance (ASA) with version 7.0 and later
Related Products
This document can also be used with these hardware and software versions:
• Cisco PIX Firewall with Software version 7.0 and later
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
Any crypto negotiation has two parties to play the Initiator and Responder roles. The initiator sends the crypto
proposals to the responder which contains different parameters about the encryption, authentication
algorithms, re−keying options and the life−time values and so forth. The responder chooses the right proposal
and a crypto session establishes. The role played by an end−device can be viewed by this command output:
Router#show crypto isakmp sa
1
IKE Peer: XX.XX.XX.XX
Type
: L2L
Rekey
: no
Role
State
: initiator
: MM_ACTIVE
ASA(config)#show crypto isakmp sa detail
IKE
Peer
Type Dir
1
209.165.200.225
User
Rky
State
Encrypt
Hash
Resp No
AM_Active
3des
Auth
SHA
Benefits of the IKE Responder−Only Mode Feature
Since the advent of virtual private network (VPN) features that allow simultaneous bidirectional IKE
negotiations (with or without interesting traffic), issues with the handling and recovery of data from duplicate
IKE SAs have occurred. IKE as a protocol has no ability to compare IKE negotiations to determine whether
there is already an existing or in−process negotiation between two peers taking place. These duplicate
negotiations can be costly in terms of resources and confusing to router administrators. When a device is
configured as a responder−only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and
IPSec SA establishment), nor will it rekey IKE and IPSec SAs. Therefore, the likelihood of duplicate SAs is
reduced.
The other benefit of this feature is to allow controlled support for negotiating connections in one direction
only in a load−balancing scenario. It is not recommended that the servers or hubs initiate VPN connections
toward the clients or spokes because these devices are all being accessed by a single−facing IP address as
advertised via the load balancer. If the hubs were to initiate the connection, they would be doing so using an
individual IP address, thus circumventing the benefits of the load balancer. The same is true of rekeying
requests that are sourced from the hubs or servers behind the load balancer.
A Router to be configured as a Responder−Only device in a crypto
negotiation
Cisco IOS Software Release 12.4(24)T introduces the functionality of the router to always respond to the IKE
negotiations initiated by its peers. The main limitation is that this feature is configurable only under an IPSec
profile and is relevant only to a virtual interface scenario. No support for static or dynamic crypto map
scenarios.
In order to configure your router as responder−only, perform these steps:
enable
configure terminal
crypto ipsec profile <name>
responder−only
An ASA to be configured as a Responder−Only device in a crypto
negotiation
In general IPSec LAN−to−LAN connections, the ASA can function as initiator or responder. In IPSec
client−to−LAN connections, the ASA functions only as responder. An ASA can be configured as
L
pres
respond−only device in LAN−to−LAN VPN connections. However, the restriction is that the device at the
other end of the VPN tunnel must be one of these:
• Cisco ASA 5500 series appliance
• Cisco VPN 3000 series Concentrator
• Cisco PIX 500 series firewall that runs 7.0 software and later
In order to configure your ASA as responder−only device, issue this command:
hostname(config)# crypto map mymap 10 set connection−type answer−only
Note: It is suggested to configure a VPN gateway device as responder−only where multiple VPN peers
terminate.
Related Information
• Configuring a Router−to−Router LAN−to−LAN Tunnel with a Router Initiating IKE
Aggressive Mode
• Cisco ASA Configuration Examples and TechNotes
• Technical Support & Documentation − Cisco Systems
Contacts & Feedback | Help | Site Map
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.
Updated: Aug 01, 2011
Document ID: 113158
Related documents
better_format - Cisco Support Community
better_format - Cisco Support Community
Chapter 33: The Politics of Boom & Bust
Chapter 33: The Politics of Boom & Bust
Establishment of the VPN connection with the
Establishment of the VPN connection with the
CIS5371 Cryptography Project topics
CIS5371 Cryptography Project topics
Download