Solved: IPSec Agressive mode, and Crypto Map

Nedeljko Scepanovic · ‎08-28-2015

Hi, how are you :).

I have one question, about router Cisco 2911, and Juniper Netscreen 25, ver 5.4. I must start IP Sec tunnel between these two devices. I must use agressive mode, I saw this in configuration document. Question, how can I use agressive mode, I did not found anything? I worked with IPSec, but I did not change Phase 1 mode never , I think, always was main mode. I want to use Crypto map. (We can not use tunnel interface)

Have a nice day :)

PHASE 1 (IKE Policy)
Authentication Method	Pre-shared key
DH Group (1, 2 i 5)	Group 2
Encryption Algorithm	3DES
Hash Algorithm	MD5
Lifetime	1440 Minutes (= = 86400 seconds)
Supports Aggressive Mode	YES
PHASE 2 (IPSec Parameters)
Perfect Forward Secrecy	DH Group 2
Encapsulation	Encryption (ESP)
Encryption Algorithm	3DES
Authentication Algorithm	SHA1
Lifetime	1440 Minutes (= = 86400 seconds)

CCNA R&S, CCNA Security

Robert Hillcoat · ‎08-31-2015

I've attached what i know to be a working config because i just created this on GNS3.

Your ACL is not correct it should be source to destination not destination to source.

You are missing the following config. The address should be the routers local address.

set aggressive-mode client-endpoint ipv4-address x.x.x.x

View solution in original post

Robert Hillcoat · ‎08-28-2015

You can use the commands below to set aggressive mode.

crypto isakmp peer address x.x.x.x
set aggressive-mode password 'password'
set aggressive-mode client-endpoint ipv4-address x.x.x.x

Here is a short explanation of the difference between the modes.

https://supportforums.cisco.com/document/31741/main-mode-vs-aggressive-mode

Nedeljko Scepanovic · ‎08-28-2015

Hi Robert, thank you for the fast answer :). set aggressive-mode password 'password', is the same password, like from line, crypto isakmp key 'password' address x.x.x.x ????

Is this working configuration, I wrote from my head? I did not check my configuration

crypto isakmp policy 60
encr esp
authentication pre-share
group 2
lifetime 86400
crypto isakmp peer address x.x.x.x
set aggressive-mode password 'password'
set aggressive-mode client-endpoint ipv4-address x.x.x.x

crypto isakmp key 'password' address x.x.x.x.
!
!
crypto ipsec transform-set VPN esp-aes esp-md5-hmac
!
crypto map VPN 60 ipsec-isakmp
set peer x.x.x.x
set transform-set VPN
set pfs group2
match address VPN

and int config mode,

int g0

crypto map VPN

CCNA R&S, CCNA Security

Robert Hillcoat · ‎08-28-2015

You don't require the line "crypto isakmp key 'password' address x.x.x.x." You've already specified the password.

use the commands such as debug crypto ipsec, debug crypto isakmp, debug crypto engine to troubleshoot.

Instead of doing this from your head you should lab this up and check it works first.

Nedeljko Scepanovic · ‎08-30-2015

Hi Robert, How are you ?

I got my config from router, and I have errors, I try with aggressive mode, a got some errors....I am very close :) What you think ?

my config

crypto isakmp policy 60
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp peer address 1.1.1.1
set aggressive-mode password 1234567

crypto ipsec transform-set UCCG esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map VPN 60 ipsec-isakmp
set peer 1.1.1.1
set transform-set UCCG
set pfs group2
match address UCCG
exit

ip access-list extended UCCG
permit ip host 1.1.1.1 host 2.2.2.2

errors

R2#ping 1.1.1.1 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2

*Aug 30 23:45:47.583: ISAKMP:(0): SA request profile is (NULL)
*Aug 30 23:45:47.583: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Aug 30 23:45:47.587: ISAKMP: New peer created peer = 0x679EB620 peer_handle = 0x8000000D
*Aug 30 23:45:47.587: ISAKMP: Locking peer struct 0x679EB620, refcount 1 for isakmp_initiator
*Aug 30 23:45:47.587: ISAKMP: local port 500, remote port 500
*Aug 30 23:45:47.591: ISAKMP: set new node 0 to QM_IDLE
*Aug 30 23:45:47.591: ISAKMP:(0):insert sa successfully sa = 65B3560C
*Aug 30 23:45:47.595: ISAKMP:(0):SA has tunnel attributes set.
*Aug 30 23:45:47.599: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Aug 30 23:45:47.599: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Aug 30 23:45:47.599: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Aug 30 23:45:47.603: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Aug 30 23:45:47.603: ISAKMP:(0):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Aug 30 23:45:47.607: ISAKMP (0): .ID payload
next-payload : 13
type : 1
address : 10.0.0.1
protocol : 17
port : 0
length : 12
*Aug 30 23:45:47.611: ISAKMP:(0):Total payload length: 12
*Aug 30 23:45:47.615: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Aug 30 23:45:47.615: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1

*Aug 30 23:45:47.619: ISAKMP:(0): beginning Aggressive Mode exchange
*Aug 30 23:45:47.619: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Aug 30 23:45:47.623: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Aug 30 23:45:47.807: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Aug 30 23:45:47.807: ISAKMP:(0): processing SA payload. message ID = 0
*Aug 30 23:45:47.807: ISAKMP:(0): processing ID payload. message ID = 0
*Aug 30 23:45:47.807: ISAKMP (0): ID payload
next-payload : 10
type : 1
address : 1.1.1.1
protocol : 0
port : 0
length : 12
*Aug 30 23:45:47.807: ISAKMP:(0):: peer matches *none* of the profiles
*Aug 30 23:45:47.807: ISAKMP:(0): processing vendor id payload
*Aug 30 23:45:47.807: ISAKMP:(0): vendor ID is Unity
*Aug 30 23:45:47.807: ISAKMP:(0): processing vendor id payload
*Aug 30 23:45:47.807: ISAKMP:(0): vendor ID is DPD
*Aug 30 23:45:47.807: ISAKMP:(0): processing vendor id payload
*Aug 30 23:45:47.807: ISAKMP:(0): speaking to another IOS box!
*Aug 30 23:45:47.807: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Aug 30 23:45:47.807: ISAKMP:(0): local preshared key found
*Aug 30 23:45:47.807: ISAKMP : Scanning profiles for xauth ...
*Aug 30 23:45:47.807: ISAKMP:(0):Checking ISAKMP transform 1 against priority 60 policy
*Aug 30 23:45:47.807: ISAKMP: encryption AES-CBC
*Aug 30 23:45:47.807: ISAKMP: keylength of 128
*Aug 30 23:45:47.807: ISAKMP: hash MD5
*Aug 30 23:45:47.807: ISAKMP: default group 2
*Aug 30 23:45:47.807: ISAKMP: auth pre-s.hare
*Aug 30 23:45:47.807: ISAKMP: life type in seconds
*Aug 30 23:45:47.807: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 30 23:45:47.807: ISAKMP:(0):atts are acceptable. Next payload is 0
*Aug 30 23:45:47.807: ISAKMP:(0):Acceptable atts:actual life: 86400
*Aug 30 23:45:47.807: ISAKMP:(0):Acceptable atts:life: 0
*Aug 30 23:45:47.807: ISAKMP:(0):Fill atts in sa vpi_length:4
*Aug 30 23:45:47.807: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Aug 30 23:45:47.807: ISAKMP:(0):Returning Actual lifetime: 86400
*Aug 30 23:45:47.807: ISAKMP:(0)::Started lifetime timer: 86400.

*Aug 30 23:45:47.807: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Aug 30 23:45:47.807: ISAKMP:(0): processing KE payload. message ID = 0
*Aug 30 23:45:47.851: ISAKMP:(0): processing NONCE payload. message ID = 0
*Aug 30 23:45:47.851: ISAKMP:(0):SA using tunnel password as pre-shared key.
*Aug 30 23:45:47.855: ISAKMP:(1004): processing HASH payload. message ID = 0
*Aug 30 23:45:47.855: ISAKMP:(1004): Hash payload is incorrect!
*Aug 30 23:45:47.859: ISAKMP (1004): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_I_AM1
*Aug 30 23:45:47.859: ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Aug 30 23:45:47.863: ISAKMP:(1004):Old State = IKE_I_AM1 New State = IKE_I_AM1

*Aug 30 23:45:47.863: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 1.1.1.1...
Success rate is 0 percent (0/5)
R2#
*Aug 30 23:45:57.623: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...
*Aug 30 23:45:57.623: ISAKMP (1004): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Aug 30 23:45:57.627: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH
*Aug 30 23:45:57.627: ISAKMP:(1004): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Aug 30 23:45:57.631: ISAKMP:(1004):Sending an IKE IPv4 Packet.
*Aug 30 23:45:58.219: ISAKMP (1004): received packet from 1.1.1.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Aug 30 23:45:58.223: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.1.1.1 was not encrypted and it should've been.
R2#
*Aug 30 23:45:58.223: ISAKMP (1004): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Aug 30 23:45:59.223: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...
*Aug 30 23:45:59.223: ISAKMP (1004): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Aug 30 23:45:59.227: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH
*Aug 30 23:45:59.227: ISAKMP:(1004): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Aug 30 23:45:59.227: ISAKMP:(1004):Sending an IKE IPv4 Packet.
R2#
*Aug 30 23:45:59.755: ISAKMP (1004): received packet from 1.1.1.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Aug 30 23:45:59.755: ISAKMP:(1004): phase 1 packet is a duplicate of a previous packet.
*Aug 30 23:45:59.759: ISAKMP:(1004): retransmission skipped for phase 1 (time since last transmission 532)
R2#
*Aug 30 23:46:09.227: ISAKMP:(1004): retransmitting phase 1 AG_INIT_EXCH...
*Aug 30 23:46:09.227: ISAKMP (1004): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

and

IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 10.0.0.2 AG_INIT_EXCH 1006 ACTIVE

IPv6 Crypto ISAKMP SA

R2#
R2#
R2#
*Aug 31 00:07:00.939: ISAKMP: set new node 0 to QM_IDLE
*Aug 31 00:07:00.939: ISAKMP:(1006):SA is still budding. Attached new ipsec request to it. (local 10.0.0.2, remote 1.1.1.1)
*Aug 31 00:07:00.939: ISAKMP: Error while processing SA request: Failed to initialize SA
*Aug 31 00:07:00.939: ISAKMP: Error while processing KMI message 0, error 2.
R2#
*Aug 31 00:07:02.587: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH...
*Aug 31 00:07:02.587: ISAKMP (1006): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Aug 31 00:07:02.591: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH
*Aug 31 00:07:02.591: ISAKMP:(1006): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Aug 31 00:07:02.595: ISAKMP:(1006):Sending an IKE IPv4 Packet.
*Aug 31 00:07:03.147: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) AG_INIT_EXCH
*Aug 31 00:07:03.147: ISAKMP:(1006): phase 1 packet is a duplicate of a previous packet.
R2#
*Aug 31 00:07:03.151: ISAKMP:(1006): retransmission skipped for phase 1 (time since last transmission 556)
R2#
R2#sh cr
*Aug 31 00:07:12.595: ISAKMP:(1006): retransmitting phase 1 AG_INIT_EXCH...
*Aug 31 00:07:12.595: ISAKMP:(1006):peer does not do paranoid keepalives.

*Aug 31 00:07:12.599: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 1.1.1.1)
*Aug 31 00:07:12.607: ISAKMP:(1006):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 1.1.1.1)
*Aug 31 00:07:12.611: ISAKMP: Unlocking peer struct 0x679EB620 for isadb_mark_sa_deleted(), count 0
*Aug 31 00:07:12.611: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 679EB620
*Aug 31 00:07:12.615: ISAKMP:(1006):deleting node 550039179 error FALSE reason "IKE deleted"
R2#sh cry
*Aug 31 00:07:12.615: ISAKMP:(1006):deleting node -474479392 error FALSE reason "IKE deleted"
*Aug 31 00:07:12.619: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Aug 31 00:07:12.623: ISAKMP:(1006):Old State = IKE_I_AM1 New State = IKE_DEST_SA

*Aug 31 00:07:13.159: ISAKMP (1006): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
R2#sh cry isak sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 10.0.0.2 MM_NO_STATE 1006 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

R2#
*Aug 31 00:08:02.615: ISAKMP:(1006):purging node 550039179
*Aug 31 00:08:02.623: ISAKMP:(1006):purging node -474479392

CCNA R&S, CCNA Security

Robert Hillcoat · ‎08-31-2015

I've attached what i know to be a working config because i just created this on GNS3.

Your ACL is not correct it should be source to destination not destination to source.

You are missing the following config. The address should be the routers local address.

set aggressive-mode client-endpoint ipv4-address x.x.x.x

Nedeljko Scepanovic · ‎08-31-2015

Sorry Robert, I saw that, after I wrote last post. I fix everything :). ACL are ok, but I made, bigger mistake xD.

crypto map VPN 60 ipsec-isakmp
set peer 1.1.1.1 <==== This is loopback 0 int
set transform-set UCCG
set pfs group2
match address UCCG
exit

Since I changed to this, everything was fine :)

crypto map VPN 60 ipsec-isakmp
set peer 10.0.0.1 or 10.0.0.2
set transform-set UCCG
set pfs group2
match address UCCG

last question, about set aggressive-mode client-endpoint ipv4-address 10.0.0.2

Which address I must put here. I try with local host, and remote, works in every case

Working configuration
R1 add 10.0.0.1

crypto isakmp policy 60
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp peer address 10.0.0.2
set aggressive-mode password 1234567
set aggressive-mode client-endpoint ipv4-address 10.0.0.2
!
!
crypto ipsec transform-set UCCG esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map VPN 60 ipsec-isakmp
set peer 10.0.0.2
set transform-set UCCG
set pfs group2
match address UCCG

Thanks a lot :)

CCNA R&S, CCNA Security

Robert Hillcoat · ‎08-31-2015

Glad i could help.

Teck Sing · ‎04-23-2024

last question, about set aggressive-mode client-endpoint ipv4-address 10.0.0.2

Which address I must put here. I try with local host, and remote, works in every case

This command only specifies a tunnel-client-endpoint attribute - fqdn or address, actually you could input any address as long as it complies with IP format, even the same address on both ends.

- Teck Sing