Yeah, it wouldn't work as well My main config was:
crypto isakmp pol 10 auth rsa-sig crypto isakmp profile AM initiate mode aggressive crypto map CMAP 10 isakmp-profile AM This results is the IOS jumping from AM to MM. If you change the isakmp policy to pre-shared keys, it will work with AM as expected I wonder if there is any weakness that made Cisco to avoid such behavior On Thu, Jan 6, 2011 at 10:37 PM, Jerome Dolphin <[email protected]> wrote: > Woops, no it doesn't help, forget I sent anything :) > > > On Fri, Jan 7, 2011 at 11:35 AM, Jerome Dolphin <[email protected]>wrote: > >> Does this help? >> >> http://blog.ine.com/tag/aggressive-mode/ >> >> crypto isakmp profile AGGRESSIVE >> initiate mode aggressive >> self-identity fqdn >> keyring default >> ! >> crypto map VPN isakmp-profile AGGRESSIVE >> crypto map VPN 10 ipsec-isakmp >> >> >> On Fri, Jan 7, 2011 at 2:42 AM, Bruno <[email protected]> wrote: >> >>> At least it was what I understood reading it >>> Take a look on the 5.1 and 5.2 topics. >>> >>> 5.1 IKE Phase 1 Authenticated With Signatures >>> 5.2 Phase 1 Authenticated With Public Key Encryption >>> >>> Within each one you'll find how it should behave in MM and AM. >>> >>> >>> >>> On Thu, Jan 6, 2011 at 1:31 PM, Vybhav Ramachandran >>> <[email protected]>wrote: >>> >>>> Hello Bruno, >>>> >>>> I always thought that Digital certificates could only work in Main Mode. >>>> I'm yet to go through that RFC though.I'll go through it in a while. >>>> >>>> Cheers, >>>> TacACK >>>> >>> >>> >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
