Configure IOS router to initiate a VPN in Aggressive Mode

Enabling Aggressive Mode globally on an IOS router is pretty straight forward and is the default any way;

no crypto isakmp aggressive-mode disable

But the problem with this is that the router will only act as a responder to VPN requests that come in. It cannot initiate a VPN in Aggressive Mode.

Adding the Aggressive Mode option in an ISAKMP profile and attaching that profile to the crypto map of that peer will allow the IOS router to also initiate a VPN in Aggressive Mode with the peer;

crypto isakmp profile p1-profile-aggressive
  keyring global_keys
  self-identity fqdn 
  match identity address <peer-IP>
  initiate mode aggressive
 crypto map out_map 10 ipsec-isakmp 
  set isakmp-profile p1-profile-aggressive

AMs are mostly used for Remote Access VPNs so having AM enabled globally would be sufficient as the Clients will always be initiating the connection.

But this scenario would come into picture when you are configuring Site-to-Site VPNs to use AM instead of MM. The reason you would configure a Site-to-Site VPN in AM can vary, but most probably it is because you want to use Certificates for your peer authentication or you want to use pre-shared keys and still be crazy enough to use AM. :-)

Bookmark to follow my CCIE Security v4 journey ->

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s