Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2221
Views
0
Helpful
4
Replies

IPSec Main mode versus Aggressive mode

GW M
Level 1
Level 1

‎03-12-2018 09:06 AM - edited ‎03-05-2019 10:05 AM

I have two Cisco 2911 routers communicating over the Internet using an IPSec site-to-site tunnel with pre-shared keys and isakmp aggressive mode. Can I reconfigure the routers to use isakmp main mode versus aggressive mode while still using pre-shared keys? Also, the main router where the site-to-site tunnels are being establish also supports IPSec client connections. If I change the router to main mode "crypto isakmp aggressive-mode disable"my IPSec clients no longer connect. Is there a way allow the clients to use isakmp main mode too or can they only use isakmp aggressive mode? 

 

Thanks

 

GW

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎03-12-2018 02:25 PM

If you have a "real" S2S connection (that is, on both routers you reference the other sides IP), then this should work also in main-mode with PSK. That would be the "normal" way to configure it. If it doesn't work in your scenario, then something else is going wrong there.

0 Helpful

GW M
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2018 02:37 PM

Below is the remote site config

 

crypto keyring site2site 
pre-shared-key address x.x.x.50 key 6 xxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
key 6 xxxxxxxx
pool VPN-clients
acl 104
max-logins 1
crypto isakmp profile site-to-site
description Site to site VPN Tunnel profile connection
keyring site2site
match identity address x.x.x.50 255.255.255.255 
keepalive 30 retry 3
crypto isakmp profile vpnclients
description VPN Clients profile connection
match identity group remote-clients
client authentication list vpnclientauth
isakmp authorization list vpngroupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA 
set isakmp-profile vpnclients
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
set peer x.x.x.50
set security-association idle-time 86400
set transform-set ESP-3DES-SHA 
set isakmp-profile site-to-site
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

 

interface GigabitEthernet0/0
ip address dhcp client-id GigabitEthernet0/0
crypto map SDM_CMAP_1

0 Helpful

Karsten Iwen
VIP
VIP
In response to Karsten Iwen

‎03-12-2018 02:44 PM

I just see that I didn't read your message right. Not the S2S-tunel stops working but the client-VPN. That is normal. For EzVPN with PSKs, aggressive mode is used. Only if you migrate to certificate-based authentication, main mode is used.

Are you sure that your S2S-VPN is also using aggressive mode? Does "show crypto isakmp sa detail" show that?

0 Helpful

GW M
Level 1
Level 1
In response to Karsten Iwen

‎03-12-2018 03:10 PM

The site to site VPN is working and the VPN client is working but I want the site to site VPN to use main mode versus aggressive mode.

 

GW

0 Helpful
Customers Also Viewed These Support Documents