I've had this issue before. I made this works in 2 ways
1 - add also "crypto isakmp key CISCO address 136.1.122.2
or
2 - add a local host entry on the router mapping the hostname XXXX to
136.1.122.2

If this is correct, I don't know and never had anyone to explain me why

On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote:

> Dear Experts,
>
> I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles,
> however I am not able to get why it doesn't work when running the debugs I
> see that it can't run AGGRESSIVE mode and it can't find a PSK or cert
> despite the fact that it exists. I would appreciate any input.
>
> crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/>
>
> crypto isakmp profile AGGRESSIVE
> ! This profile is incomplete (no match identity statement)
>    keyring default
>    self-identity fqdn
>    initiate mode aggressive
> !
>
> crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac
> !
> crypto map R1R2 isakmp-profile AGGRESSIVE
> crypto map R1R2 10 ipsec-isakmp
>  set peer 136.1.122.2
>  set transform-set R1R2
>  match address LO12
>
>
> interface FastEthernet0/0
>  ip address 136.1.121.1 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map R1R2
>
>
>     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
> Oct  8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE
> Oct  8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer
> port 500
> Oct  8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 peer_handle
> = 0x80000010
> Oct  8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 for
> isakmp_initiator
> Oct  8 04:54:52.075: ISAKMP: local port 500, remote port 500
> Oct  8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE
> Oct  8 04:54:52.075: insert sa successfully sa = 83DE56A8
> Oct  8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main
> mode.
> Oct  8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key.
> Oct  8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start
> Main mode
> Oct  8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for
> isadb_unlock_peer_delete_sa(), count 0
> Oct  8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for
> 136.1.122.2: 83D50508
> Oct  8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8
> Oct  8 04:54:52.079: ISAKMP:(0):purging node -1397275558
> Oct  8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to
> initialize SA
> Oct  8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error 2.
> Oct  8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI
> message(s)
>
> Thanks
>
> Best Regards
>
> --
> KJ
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>


-- 
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to