It appears that once again, I am trying to do something that is impossible with respect to the beloved IOS : ) Thanks Petr, now I know! It seems that while the rfc does allow for digital certificate authentication with AM, IOS does not allow this feature.
http://www.mail-archive.com/[email protected]/msg07563.html On Tue, Mar 20, 2012 at 1:39 PM, Joe Astorino <[email protected]> wrote: > I am pretty sure this is possible to do, but I can't get it working. > The negotiation and tunnel works fine, but it always happens using > main mode by default. I have tried both of the following: > > - Using ISAKMP Profiles to set aggressive mode > > crypto isakmp profile IKE-AGGRESIVE > ca trust-point IOS-CA > initiate mode aggressive > ! > crypto map OUTSIDE-STATIC 10 ipsec-isakmp > set isakmp-profile IKE-AGGRESIVE > ! > int fa0/0 > crypto map OUTSIDE-STATIC > > > Using the "crypto isakmp peer" command set as follows > > crypto isakmp peer address 136.1.122.2 > set aggressive-mode client-endpoint ipv4-address 136.1.122.2 > > > No matter what I do in the debug I always see that "Unable to start > aggressive mode, trying main mode." then it proceeds to negotiate MM > fine. Any ideas on the proper configuration for this? > > > > > -- > Regards, > > Joe Astorino > CCIE #24347 > http://astorinonetworks.com > > "He not busy being born is busy dying" - Dylan -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
