Aggressive mode doesn't work always as expected. Your tunnel should have come by using the IP addresss in the IKE messages.
With regards Kings On Mon, Jun 18, 2012 at 11:02 PM, Imre Oszkar <[email protected]> wrote: > Bruno, what you are saying is correct, in aggressive mode the IKE id is > sent in clear text but I don't think that this answers my question. > > If you take a look at the config/debug output in my first post, the > initiator router sends its hostname as the IKE ID but the receiving router > doesn't have any PSK configured for that IKE ID and the tunnel still comes > up. > The only PSK configured on the receiving router is based on IP address > and not hostname, so I don't understand how the PSK match happens in this > case. > > crypto isakmp peer address 8.9.11.7 > set aggressive-mode password cisco > set aggressive-mode client-endpoint user-fqdn R1 > > Hi, >> >> When u have aggressive mode u exchange messages with the ids in cleartext >> while performing dh, i believe that's the main reason why you don't have to >> have a dns server configured in order to make it work. >> >> If it was main mode it would not work because when the isakmp responder >> receives a main mode proposal from initiator it would require knowing the >> psk in advance but in this case the responder do not know the id of the >> initiator yet so it has to select the ip address of the initiator as the >> id, in this case even if u have configured the hostname as the id it would >> use the ip address for the tunnel names, that is not the case with >> aggressive mode because the responder knows the id either if it's the >> hostname or the ip address. >> >> Br, >> Bruno silva >> >> Enviado via iPhone >> >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
