Gents, Let me chime in and add something to the discussion.
Although it would be possible to use certificates with AM it brings a little value in my opinion. In AM everything is sent over with the very first packet including Identity Payload. This means the certificate used as ID would be easily accessed by everyone as this packet is not encrypted. There is no identity protection at all in AM. The main reason for Cisco not to implement certificates with AM is the potential problem with fragmentation. Note that the first packet contains Proposals, KE material, and Identity, so if we would use certificates the packet will be way above 1500 bytes. For the same reason developers must NOT include all combination of proposals - the packet length must be controlled. Hope it will bring some light to that topic. Regards, Piotr 2011/1/7 Bruno <[email protected]> > Yeah, it wouldn't work as well > > My main config was: > > crypto isakmp pol 10 > auth rsa-sig > crypto isakmp profile AM > initiate mode aggressive > crypto map CMAP 10 isakmp-profile AM > > This results is the IOS jumping from AM to MM. If you change the isakmp > policy to pre-shared keys, it will work with AM as expected > > I wonder if there is any weakness that made Cisco to avoid such behavior > > > On Thu, Jan 6, 2011 at 10:37 PM, Jerome Dolphin <[email protected]>wrote: > >> Woops, no it doesn't help, forget I sent anything :) >> >> >> On Fri, Jan 7, 2011 at 11:35 AM, Jerome Dolphin <[email protected]>wrote: >> >>> Does this help? >>> >>> http://blog.ine.com/tag/aggressive-mode/ >>> >>> crypto isakmp profile AGGRESSIVE >>> initiate mode aggressive >>> self-identity fqdn >>> keyring default >>> ! >>> crypto map VPN isakmp-profile AGGRESSIVE >>> crypto map VPN 10 ipsec-isakmp >>> >>> >>> On Fri, Jan 7, 2011 at 2:42 AM, Bruno <[email protected]> wrote: >>> >>>> At least it was what I understood reading it >>>> Take a look on the 5.1 and 5.2 topics. >>>> >>>> 5.1 IKE Phase 1 Authenticated With Signatures >>>> 5.2 Phase 1 Authenticated With Public Key Encryption >>>> >>>> Within each one you'll find how it should behave in MM and AM. >>>> >>>> >>>> >>>> On Thu, Jan 6, 2011 at 1:31 PM, Vybhav Ramachandran >>>> <[email protected]>wrote: >>>> >>>>> Hello Bruno, >>>>> >>>>> I always thought that Digital certificates could only work in Main >>>>> Mode. I'm yet to go through that RFC though.I'll go through it in a while. >>>>> >>>>> Cheers, >>>>> TacACK >>>>> >>>> >>>> >>>> >>>> -- >>>> Bruno Fagioli (by Jaunty Jackalope) >>>> Cisco Security Professional >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
