Re: Aggressive mode in crypto isakmp profile

konzoom · ‎12-07-2020

Hi Team

I'm helpless. We moved the hardware from typ c3925/ IOS 15.7 to isr4451X/ 16.6.6 or 16.6.8. With the c3925 is running the ipsec to central nodes, with the new hardware doesn't work. The certificates are up to date and runs in the entire network. We checked the config more than more. Everything is fine. The only message in the config is:

crypto isakmp profile isakmp_Mgmt_XXXX
! This profile is incomplete (no match identity statement)
description
vrf
match identity host yyy.zzz.ddd.com
client authentication list
client pki authorization list
isakmp authorization list
client authentication username
client authentication password
client configuration address-pool local
client pki authorization list
client configuration group
accounting
initiate mode aggressive
virtual-template 0

My questions is, how I can deactivate the aggressive mode on the 4451X? Do there have expirience with the moving from c3925 IOS to the new plattforms isr4451 IOS-XE? The connector oft he other side is a c2911 with the IOS boot system flash:/c2900-universalk9-mz.SPA.157-3.M6.bin.

Best wishes and many thanks,

Daniela

Mohammed al Baqari · ‎01-12-2021

Hi,

It should be same as IOS. Nothing special for IPSec on IOS-XE. To disable
aggressive mode, the command is *no crypto isakmp aggressive*

It seems that your isakmp profile is incomplete. Share some debugs for
crypto isakmp to see what is causing this but it seems that you need to fix
your isakmp profile.

**** please remember to rate useful posts