Cisco PIX 500 Series Security Appliances

Introduction

This document provides information on how to configure a VPN gateway device to always act as a responder in an IKE negotiation. The device will respond to any crypto negotiations initiated by its peers.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco Router with Cisco IOS® Software Release 12.4(24)T and later

• Cisco Adaptive Security Appliance (ASA) with version 7.0 and later

Related Products

This document can also be used with these hardware and software versions:

• Cisco PIX Firewall with Software version 7.0 and later

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Any crypto negotiation has two parties to play the Initiator and Responder roles. The initiator sends the crypto proposals to the responder which contains different parameters about the encryption, authentication algorithms, re-keying options and the life-time values and so forth. The responder chooses the right proposal and a crypto session establishes. The role played by an end-device can be viewed by this command output:

Router#show crypto isakmp sa
1   IKE Peer: XX.XX.XX.XX
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ASA(config)#show crypto isakmp sa detail
IKE 	Peer	  	  	Type  Dir   Rky    State      Encrypt    Hash  Auth       Lifetime
1 	209.165.200.225 	User  Resp  No   AM_Active    3des     	 SHA   preshrd     86400

Benefits of the IKE Responder-Only Mode Feature

Since the advent of virtual private network (VPN) features that allow simultaneous bidirectional IKE negotiations (with or without interesting traffic), issues with the handling and recovery of data from duplicate IKE SAs have occurred. IKE as a protocol has no ability to compare IKE negotiations to determine whether there is already an existing or in-process negotiation between two peers taking place. These duplicate negotiations can be costly in terms of resources and confusing to router administrators. When a device is configured as a responder-only device, it will not initiate IKE main, aggressive, or quick modes (for IKE and IPSec SA establishment), nor will it rekey IKE and IPSec SAs. Therefore, the likelihood of duplicate SAs is reduced.

The other benefit of this feature is to allow controlled support for negotiating connections in one direction only in a load-balancing scenario. It is not recommended that the servers or hubs initiate VPN connections toward the clients or spokes because these devices are all being accessed by a single-facing IP address as advertised via the load balancer. If the hubs were to initiate the connection, they would be doing so using an individual IP address, thus circumventing the benefits of the load balancer. The same is true of rekeying requests that are sourced from the hubs or servers behind the load balancer.

A Router to be configured as a Responder-Only device in a crypto negotiation

Cisco IOS Software Release 12.4(24)T introduces the functionality of the router to always respond to the IKE negotiations initiated by its peers. The main limitation is that this feature is configurable only under an IPSec profile and is relevant only to a virtual interface scenario. No support for static or dynamic crypto map scenarios.

In order to configure your router as responder-only, perform these steps:

enable 
configure terminal 
crypto ipsec profile <name> 
  responder-only

An ASA to be configured as a Responder-Only device in a crypto negotiation

In general IPSec LAN-to-LAN connections, the ASA can function as initiator or responder. In IPSec client-to-LAN connections, the ASA functions only as responder. An ASA can be configured as respond-only device in LAN-to-LAN VPN connections. However, the restriction is that the device at the other end of the VPN tunnel must be one of these:

• Cisco ASA 5500 series appliance

• Cisco VPN 3000 series Concentrator

• Cisco PIX 500 series firewall that runs 7.0 software and later

In order to configure your ASA as responder-only device, issue this command:

hostname(config)# crypto map mymap 10 set connection-type answer-only

Note: It is suggested to configure a VPN gateway device as responder-only where multiple VPN peers terminate.

Related Information

• Configuring a Router-to-Router LAN-to-LAN Tunnel with a Router Initiating IKE Aggressive Mode
• Cisco ASA Configuration Examples and TechNotes
• Technical Support & Documentation - Cisco Systems