Hi Kings, Can you share your config, because I'm pretty sure it does not work without 'ip host' mapping. Even though it should work this way, I believe the reason it does not work is that it helps when you have dynamic IPs. With that you may configure DynDNS and dynamically resolve peer's IP address.
Notice that, without 'ip host' mapping, the Aggressive Mode does not start at all. It tries MM and then fails because MM must be able to find PSK in the config via IP address (even if 'hostname' is an identity). Regards, Piotr 2011/9/22 Kingsley Charles <[email protected]> > Hi Piotr > > After a couple of reloads and re-configuration, it works for me now. I did > try adding ip host earlier but didn't work. > > Till today, I thought ip host was necessary. But I see it working without > ip host command. > > In Main mode with PSK, we need the IP address for the pre-shared key. But > for Aggressive mode, do we need IP address for the pre-shared key? > > In aggressive, the initiator is going to send hostname as the IKE ID. The > remote peer has the pre-shared configued for that hostname. When it replies > back, the initiator is going to find the pre-shared key with the > IKE ID. In Aggressive mode, is the pre-shared key used for keying material > as done for Main mode? > > Please let me know your thoughts? > > With regards > Kings > > On Thu, Sep 22, 2011 at 9:58 PM, Piotr Matusiak <[email protected]> wrote: > >> Hi Kings, >> >> what about >> >> ip host router3.king.com 10.20.30.40 >> >> ?? >> >> Regards, >> Piotr >> >> >> >> >> >> 2011/9/22 Kingsley Charles <[email protected]> >> >>> Hi all >>> >>> Is it an issue in IOS or a silly mistake from my side? The following >>> configuration doesn't work for me. >>> >>> >>> crypto isakmp key cisco hostname router3.king.com >>> crypto isakmp profile prof >>> keyring default >>> self-identity fqdn >>> match identity host router3.king.com >>> initiate mode aggressive >>> ! >>> crypto ipsec transform-set tran esp-3des esp-sha-hmac >>> ! >>> crypto map cisco 1 ipsec-isakmp >>> set peer 10.20.30.40 >>> set transform-set tran >>> set isakmp-profile prof >>> match address 123 >>> reverse-route static >>> >>> >>> With regards >>> Kings >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com <http://www.platinumplacement.com/> >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
