Hi Karthik What's flying on the console when you debug crypto isakmp? Look specifically at the first packets exchange. Secondly, I don't think you can use certificate based authentication with agressive mode.
Eugene Sent from iPhone On Jun 8, 2012, at 6:06 AM, "Karthik sagar" <[email protected]<mailto:[email protected]>> wrote: Hi All, I am trying to build a l2l-vpn with aggressive mode. here is the config on my two vpn endpoints. Rack1R1 is the initiator. Based on my isakmp policies priority, i was expecting policy-1(with rsa-sig) to be selected. However , for some reason it selects PSK instead. Now, if i remove 'crypto isakmp key cisco address 136.1.122.2' command on the initiator, RSA-AUTH is selected. Whats happening here? is this expected? or am i making a mistake somewhere else? Rack1R1#show run | sec isakmp crypto isakmp policy 1 encr 3des hash md5 group 2 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 136.1.122.2 crypto isakmp nat keepalive 10 crypto isakmp profile ISAKMPprofile1 crypto map CMMAP isakmp-profile ISAKMPprofile1 self-identity fqdn keyring default crypto map CMMAP 10 ipsec-isakmp set peer 136.1.122.2 set transform-set TS1 match address ACLcrypto12 Rack1R2#show run | sec isakmp crypto isakmp policy 1 encr 3des hash md5 group 2 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp nat keepalive 10 crypto isakmp key cisco hostname Rack1R1.cisco.com<http://Rack1R1.cisco.com> crypto map CMMAP 10 ipsec-isakmp dynamic CMDYN Thanks for you help, Karthik _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
