Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Aggressive Mode

I have a PIX 501 6.3(4) on DHCP cable ISP. I am trying to VPN to Symantec FW. Since I am on DHCP I need to use Agressive mode; I cannot use isakmp identity address because of this (Main Mode). I tried isakmp identity hostname but the host name I have is not valid since I'm on DHCP; plus it tries to negotiate in Main Mode. I tried isakmp identity key-id, which does try to negotiate in Agressive Mode, but according to my Symantec FW logs the PIX is trying to use rsa-sig for authentication, even though I have selected pre-share.

Does anyone know why it tries to negotiate rsa-sig when I have selected pre-share auth using key-id?



Re: PIX Aggressive Mode

The issue may be due When two peers use Internet Key Exchange (IKE) to establish IPSec associations, each peer sends its ISAKMP identity to the remote peer. It sends either its IP address or host name, depending on how it has its ISAKMP identity set.

The default ISAKMP identity on the PIX Firewall is hostname, so the PIX sends its Fully Qualified Domain Name (FQDN), instead of its IP address. If the other device does not understand that parameter, then a tunnel is not established

Issue the isakmp identity address command to the PIX configuration to bring up VPN tunnels with non-Cisco devices.

New Member

Re: PIX Aggressive Mode

key-id = rsa-sig.

key-id means to use an RSA PKI key to identify the user, instead of hostname or address.

I would identify by address, and use a dynamic crypto-map.

New Member

Re: PIX Aggressive Mode

How do you identify by address when the address is dynamic? In the rest of the IPSEC world aggressive mode means you can use a identifier of your choice, since IP Address or host name are not static.

Is this a Cisco thing?

CreatePlease login to create content