Hi Kings,
I have changed my config on R1 (hub) to dynamic crypto map. I have got
exactly the same result.
crypto config:
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp identity hostname
!
crypto isakmp peer address 8.9.11.7
set aggressive-mode password cisco
set aggressive-mode client-endpoint user-fqdn R1
!
!
crypto ipsec transform-set ESP3DES esp-3des esp-sha-hmac
!
crypto dynamic-map DYN 10
set transform-set ESP3DES
match address l2l
!
!
crypto map VPN 10 ipsec-isakmp dynamic DYN
debug snippet:
*Jun 19 11:28:34.463: ISAKMP:(1003):SA is doing pre-shared key
authentication using id type ID_FQDN
*Jun 19 11:28:34.463: ISAKMP (1003): ID payload
next-payload : 10
type : 2
FQDN name : R1
protocol : 0
port : 0
length : 10
*Jun 19 11:28:34.463: ISAKMP:(1003):Total payload length: 10
*Jun 19 11:28:34.463: ISAKMP:(1003): sending packet to 8.9.11.7 my_port 500
peer_port 500 (R) AG_INIT_EXCH
*Jun 19 11:28:34.463: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 19 11:28:34.467: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 19 11:28:34.467: ISAKMP:(1003):Old State = IKE_READY New State =
IKE_R_AM2
Tunnel is UP:
R1#sh crypto session de
Crypto session current status
Interface: FastEthernet0/0
Uptime: 00:04:55
Session status: UP-ACTIVE
Peer: 8.9.11.7 port 500 fvrf: (none) ivrf: (none)
Phase1_id: R7
Desc: (none)
On Tue, Jun 19, 2012 at 12:27 AM, Kingsley Charles <
[email protected]> wrote:
> Let me give my understanding on aggressive which might be useful for this
> topic.
>
> Aggressive mode sends the IKE ID in clear text. Hence the peer, can use
> the clear text IKE ID to get the PSK and hence we can use hostname when
> configuring PSKs. In the case, of Main mode we need the PSK to be
> configured with address as it needed for shared secret generation.
>
> Now, ideally this is how Aggressive mode is meant to be used:
>
>
> - There should be a hub & spoke topology by using dynamic crypto maps
> on the hub
> - Most of the spokes have dynamic address.
> - Hence we configure aggressive mode and use dynamic crypto map on the
> hub.
> - The hub has psk configured for all spokes with hostnames.
> - The spokes sends IKE IDs in hostnames as they use dynamic address
> which might keep changing
> - The spoke should have psk configured for the hub with address has
> hub always a static address.
>
>
> It is recommended to configure psk with hostnames on hub as the spokes IP
> address will keep changing. So here don't need a dns server or host mapping
> on the hub, as always spokes initiates the traffic.
>
>
> Problem arises when we try to have both sides to use psk with hostnames
> with regular site to site VPN without dynamic crypto maps. Now the
> initiator will fail to initiate the tunnel as it can't find a matching psk
> for peer address configured under the crypto map. If we configure for dns
> or configure manual mapping it wil work. But I have seen it working without
> the mapping also. Safer always have the mapping.
>
>
>
>
> With regards
> Kings
>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
