03-19-2013 08:34 AM - edited 02-21-2020 06:46 PM
Hi all,
I think a quick question for you...
Am I right in thinking I can run IPSEC in main mode if I know the IP address of all my L2L VPN end points? (They all have static IPs) I can disable aggressive mode in IOS in this scenario?
I would only need aggressive mode if I wanted PSK and remote access type VPNs on the same router because the client addresses will no be dynamic?
Thanks!
P
03-19-2013 08:47 AM
Hi P,
Yes if you are connecting IPsec clients with PSK then Aggresive mode needs to be enabled.
Thanks.
Portu.
03-19-2013 10:03 AM
Am I right in thinking I can run IPSEC in main mode if I know the IP address of all my L2L VPN end points? (They all have static IPs) I can disable aggressive mode in IOS in this scenario?
That's right as long as devices ip addresses are used as peers IKE IDs. I mean if you have static ip addresses but use FQDNs as IKE IDs the tunnel won't establish. So with PSK and FQDN as peer identities even in site-to-site VPN you'd have to use aggressive mode too.
03-19-2013 10:05 AM
Nice Andrew
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: