Well, I guess you are right because this is not something that I wouldn't
expect for sure :)
The initiator sends hostname as IKE ID:
*Jun 19 10:38:39.811: ISAKMP (0): ID payload
next-payload : 13
type : 3
USER FQDN : R7
protocol : 17
port : 0
length : 10
Phase one ID is hostname:
R1#sh crypto session detail
Interface: FastEthernet0/0
Uptime: 00:01:27
Session status: UP-ACTIVE
Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none)
Phase1_id: R7
Desc: (none)
But somehow the PSK is matched using the initiator IP address..the question
is why.
On Mon, Jun 18, 2012 at 11:36 PM, Kingsley Charles <
[email protected]> wrote:
> Aggressive mode doesn't work always as expected. Your tunnel should have
> come by using the IP addresss in the IKE messages.
>
> With regards
> Kings
>
> On Mon, Jun 18, 2012 at 11:02 PM, Imre Oszkar <[email protected]> wrote:
>
>> Bruno, what you are saying is correct, in aggressive mode the IKE id is
>> sent in clear text but I don't think that this answers my question.
>>
>> If you take a look at the config/debug output in my first post, the
>> initiator router sends its hostname as the IKE ID but the receiving router
>> doesn't have any PSK configured for that IKE ID and the tunnel still comes
>> up.
>> The only PSK configured on the receiving router is based on IP address
>> and not hostname, so I don't understand how the PSK match happens in this
>> case.
>>
>> crypto isakmp peer address 8.9.11.7
>> set aggressive-mode password cisco
>> set aggressive-mode client-endpoint user-fqdn R1
>>
>> Hi,
>>>
>>> When u have aggressive mode u exchange messages with the ids in
>>> cleartext while performing dh, i believe that's the main reason why you
>>> don't have to have a dns server configured in order to make it work.
>>>
>>> If it was main mode it would not work because when the isakmp responder
>>> receives a main mode proposal from initiator it would require knowing the
>>> psk in advance but in this case the responder do not know the id of the
>>> initiator yet so it has to select the ip address of the initiator as the
>>> id, in this case even if u have configured the hostname as the id it would
>>> use the ip address for the tunnel names, that is not the case with
>>> aggressive mode because the responder knows the id either if it's the
>>> hostname or the ip address.
>>>
>>> Br,
>>> Bruno silva
>>>
>>> Enviado via iPhone
>>>
>>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>> Are you a CCNP or CCIE and looking for a job? Check out
>> www.PlatinumPlacement.com
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
