Re: PIX Aggressive Mode

r-sargent · ‎11-08-2005

I have a PIX 501 6.3(4) on DHCP cable ISP. I am trying to VPN to Symantec FW. Since I am on DHCP I need to use Agressive mode; I cannot use isakmp identity address because of this (Main Mode). I tried isakmp identity hostname but the host name I have is not valid since I'm on DHCP; plus it tries to negotiate in Main Mode. I tried isakmp identity key-id, which does try to negotiate in Agressive Mode, but according to my Symantec FW logs the PIX is trying to use rsa-sig for authentication, even though I have selected pre-share.

Does anyone know why it tries to negotiate rsa-sig when I have selected pre-share auth using key-id?

Thanks!

thomas.chen · ‎11-14-2005

The issue may be due When two peers use Internet Key Exchange (IKE) to establish IPSec associations, each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name, depending on how it has its ISAKMP identity set.

The default ISAKMP identity on the PIX Firewall is hostname, so the PIX sends its Fully Qualified Domain Name (FQDN), instead of its IP address. If the other device does not understand that parameter, then a tunnel is not established

Issue the isakmp identity address command to the PIX configuration to bring up VPN tunnels with non-Cisco devices.

wyatts · ‎11-14-2005

key-id = rsa-sig.

key-id means to use an RSA PKI key to identify the user, instead of hostname or address.

I would identify by address, and use a dynamic crypto-map.

r-sargent · ‎11-14-2005

How do you identify by address when the address is dynamic? In the rest of the IPSEC world aggressive mode means you can use a identifier of your choice, since IP Address or host name are not static.

Is this a Cisco thing?