First, where do you have aggressive mode configured?
Second, you use default keyring which points to PSK by default
Regards,
Piotr
From: Karthik sagar
Sent: Friday, June 08, 2012 1:51 PM
To: ccie security
Subject: [OSL | CCIE_Security] VPN - isakmp policy selection.
Hi All,
I am trying to build a l2l-vpn with aggressive mode. here is the config on my
two vpn endpoints. Rack1R1 is the initiator. Based on my isakmp policies
priority, i was expecting policy-1(with rsa-sig) to be selected. However , for
some reason it selects PSK instead. Now, if i remove 'crypto isakmp key cisco
address 136.1.122.2' command on the initiator, RSA-AUTH is selected. Whats
happening here? is this expected? or am i making a mistake somewhere else?
Rack1R1#show run | sec isakmp
crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 136.1.122.2
crypto isakmp nat keepalive 10
crypto isakmp profile ISAKMPprofile1
crypto map CMMAP isakmp-profile ISAKMPprofile1
self-identity fqdn
keyring default
crypto map CMMAP 10 ipsec-isakmp
set peer 136.1.122.2
set transform-set TS1
match address ACLcrypto12
Rack1R2#show run | sec isakmp
crypto isakmp policy 1
encr 3des
hash md5
group 2
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 10
crypto isakmp key cisco hostname Rack1R1.cisco.com
crypto map CMMAP 10 ipsec-isakmp dynamic CMDYN
Thanks for you help,
Karthik
--------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com