I've had this issue before. I made this works in 2 ways 1 - add also "crypto isakmp key CISCO address 136.1.122.2 or 2 - add a local host entry on the router mapping the hostname XXXX to 136.1.122.2
If this is correct, I don't know and never had anyone to explain me why On Fri, Oct 8, 2010 at 12:20 PM, karim jamali <[email protected]>wrote: > Dear Experts, > > I am trying to run IKE Phase I in Aggressive mode using ISAKMP Profiles, > however I am not able to get why it doesn't work when running the debugs I > see that it can't run AGGRESSIVE mode and it can't find a PSK or cert > despite the fact that it exists. I would appreciate any input. > > crypto isakmp key CISCO hostname XXXX <http://rack1r2.ine.com/> > > crypto isakmp profile AGGRESSIVE > ! This profile is incomplete (no match identity statement) > keyring default > self-identity fqdn > initiate mode aggressive > ! > > crypto ipsec transform-set R1R2 esp-3des esp-md5-hmac > ! > crypto map R1R2 isakmp-profile AGGRESSIVE > crypto map R1R2 10 ipsec-isakmp > set peer 136.1.122.2 > set transform-set R1R2 > match address LO12 > > > interface FastEthernet0/0 > ip address 136.1.121.1 255.255.255.0 > duplex auto > speed auto > crypto map R1R2 > > > spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 > Oct 8 04:54:52.071: ISAKMP:(0): SA request profile is AGGRESSIVE > Oct 8 04:54:52.071: ISAKMP: Created a peer struct for 136.1.122.2, peer > port 500 > Oct 8 04:54:52.071: ISAKMP: New peer created peer = 0x83D50508 peer_handle > = 0x80000010 > Oct 8 04:54:52.075: ISAKMP: Locking peer struct 0x83D50508, refcount 1 for > isakmp_initiator > Oct 8 04:54:52.075: ISAKMP: local port 500, remote port 500 > Oct 8 04:54:52.075: ISAKMP: set new node 0 to QM_IDLE > Oct 8 04:54:52.075: insert sa successfully sa = 83DE56A8 > Oct 8 04:54:52.075: ISAKMP:(0):Can not start Aggressive mode, trying Main > mode. > Oct 8 04:54:52.079: ISAKMP:(0): No Cert or pre-shared address key. > Oct 8 04:54:52.079: ISAKMP:(0): construct_initial_message: Can not start > Main mode > Oct 8 04:54:52.079: ISAKMP: Unlocking peer struct 0x83D50508 for > isadb_unlock_peer_delete_sa(), count 0 > Oct 8 04:54:52.079: ISAKMP: Deleting peer node by peer_reap for > 136.1.122.2: 83D50508 > Oct 8 04:54:52.079: ISAKMP:(0):purging SA., sa=83DE56A8, delme=83DE56A8 > Oct 8 04:54:52.079: ISAKMP:(0):purging node -1397275558 > Oct 8 04:54:52.083: ISAKMP: Error while processing SA request: Failed to > initialize SA > Oct 8 04:54:52.083: ISAKMP: Error while processing KMI message 0, error 2. > Oct 8 04:54:52.083: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > > Thanks > > Best Regards > > -- > KJ > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
