Configure IOS router to initiate a VPN in Aggressive Mode


Enabling Aggressive Mode globally on an IOS router is pretty straight forward and is the default any way;

no crypto isakmp aggressive-mode disable

But the problem with this is that the router will only act as a responder to VPN requests that come in. It cannot initiate a VPN in Aggressive Mode.

Adding the Aggressive Mode option in an ISAKMP profile and attaching that profile to the crypto map of that peer will allow the IOS router to also initiate a VPN in Aggressive Mode with the peer;

crypto isakmp profile p1-profile-aggressive
  keyring global_keys
  self-identity fqdn 
  match identity address <peer-IP>
  initiate mode aggressive
 !
 crypto map out_map 10 ipsec-isakmp 
  set isakmp-profile p1-profile-aggressive

AMs are mostly used for Remote Access VPNs so having AM enabled globally would be sufficient as the Clients will always be initiating the connection.

But this scenario would come into picture when you are configuring Site-to-Site VPNs to use AM instead of MM. The reason you would configure a Site-to-Site VPN in AM can vary, but most probably it is because you want to use Certificates for your peer authentication or you want to use pre-shared keys and still be crazy enough to use AM. :-)

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s