Coincidentally, I am running 12.4(15)T, lol. Thanks man. On Tue, Mar 20, 2012 at 4:54 PM, Piotr Matusiak <[email protected]> wrote: > It can be done. It works on 12.4(24)T and above. It does not work on > 12.4(15)T. > > Regards, > Piotr > > > 2012/3/20 Joe Astorino <[email protected]> >> >> It appears that once again, I am trying to do something that is >> impossible with respect to the beloved IOS : ) Thanks Petr, now I >> know! It seems that while the rfc does allow for digital certificate >> authentication with AM, IOS does not allow this feature. >> >> >> http://www.mail-archive.com/[email protected]/msg07563.html >> >> On Tue, Mar 20, 2012 at 1:39 PM, Joe Astorino <[email protected]> >> wrote: >> > I am pretty sure this is possible to do, but I can't get it working. >> > The negotiation and tunnel works fine, but it always happens using >> > main mode by default. I have tried both of the following: >> > >> > - Using ISAKMP Profiles to set aggressive mode >> > >> > crypto isakmp profile IKE-AGGRESIVE >> > ca trust-point IOS-CA >> > initiate mode aggressive >> > ! >> > crypto map OUTSIDE-STATIC 10 ipsec-isakmp >> > set isakmp-profile IKE-AGGRESIVE >> > ! >> > int fa0/0 >> > crypto map OUTSIDE-STATIC >> > >> > >> > Using the "crypto isakmp peer" command set as follows >> > >> > crypto isakmp peer address 136.1.122.2 >> > set aggressive-mode client-endpoint ipv4-address 136.1.122.2 >> > >> > >> > No matter what I do in the debug I always see that "Unable to start >> > aggressive mode, trying main mode." then it proceeds to negotiate MM >> > fine. Any ideas on the proper configuration for this? >> > >> > >> > >> > >> > -- >> > Regards, >> > >> > Joe Astorino >> > CCIE #24347 >> > http://astorinonetworks.com >> > >> > "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com > >
-- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
