Re: IPSEC VPN Aggressive mode

RobotAjay · ‎07-15-2024

Hi, I have a query.
I know aggressive mode is used in case if the peer has dynamic IP's but may I know why main mode cannot be used? Can someone please explain this?

Thanks

MHM Cisco World · ‎07-15-2024

It true that aggressive mode use mainly if the peer is dynamic' and the reason is that main mode use peer IP for auth but aggressive mode use peer IP or Peer ID for auth'

Now if the peer have dynamic IP we can not use anymore peer IP for auth so we use peer ID.

MHM

RobotAjay · ‎07-15-2024

understood, so incase of main mode authentication happens with the help of peer ip.
So if a client has dynamic IP and if we use aggressive mode then each and every IP(new client's or new IP) will be validated using the peer ID.

Please correct me if I am wrong

MHM Cisco World · ‎07-15-2024

Correct.

To solve this issue of using main mode and dynamic peer ip most vendor use isakmp key with address 0.0.0.0

This way even if peer IP change it not effect IPsec

MHM

RobotAjay · ‎07-15-2024

Could you also explain or share me some docs to know more on when peer ip is used for auth in aggresive mode and when peer id is used ?