Bruno, what you are saying is correct, in aggressive mode the IKE id is sent in clear text but I don't think that this answers my question.
If you take a look at the config/debug output in my first post, the initiator router sends its hostname as the IKE ID but the receiving router doesn't have any PSK configured for that IKE ID and the tunnel still comes up. The only PSK configured on the receiving router is based on IP address and not hostname, so I don't understand how the PSK match happens in this case. crypto isakmp peer address 8.9.11.7 set aggressive-mode password cisco set aggressive-mode client-endpoint user-fqdn R1 Hi, > > When u have aggressive mode u exchange messages with the ids in cleartext > while performing dh, i believe that's the main reason why you don't have to > have a dns server configured in order to make it work. > > If it was main mode it would not work because when the isakmp responder > receives a main mode proposal from initiator it would require knowing the > psk in advance but in this case the responder do not know the id of the > initiator yet so it has to select the ip address of the initiator as the > id, in this case even if u have configured the hostname as the id it would > use the ip address for the tunnel names, that is not the case with > aggressive mode because the responder knows the id either if it's the > hostname or the ip address. > > Br, > Bruno silva > > Enviado via iPhone > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
