Folks, in our previous chapter we discussed about enabling IPSec VPN on Site-To-Site being on default mode (Main Mode) and here we will discuss about Aggressive Mode when creating IPSec VPN.

Let’s first discuss what is the difference between Main Mode and Aggressive Mode:

Main Mode:

An IKE session begins with the initiator sending a proposal or proposals to the responder. The proposals define what encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy should be enforced. The first exchange between nodes establishes the basic security policy; the initiator proposes the encryption and authentication algorithms it is willing to use. The responder chooses the appropriate proposal and sends it to the initiator. The next exchange passes Diffie-Hellman public keys and other data. All further negotiation is encrypted within the IKE SA. The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPSec negotiation (Quick Mode) begins.

Aggressive Mode:

Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. The responder sends the proposal, key material and ID, and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and the initiator and responder ID pass in the clear.

We will use the same topology which we used in our previous lab:

The basic configuration will remain same, where we have P2P ip addresses and default static route toward the loopback of the other end.

We will use password of “cisco” between two ends to negotiate and accept parameters between each other.

Configuartion on R1:

R1 (config)#crypto isakmp policy 10
R1 (config-isakmp)#encryption 3des
R1 (config-isakmp)#authentication pre-shared
R1 (config-isakmp)#hash md5
R1 (config-isakmp)#group 2

R1 (config)#crypto isakmp peer address 10.1.12.2
R1 (config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 10.1.12.2
R1 (config-isakmp-peer)#set aggressive-mode password cisco

R1 (config)#crypto ipsec transform-set R1-R2 esp-3des esp-md5-hmac

R1 (config)#crypto map CM-R1-R2 10 ipsec-isakmp
R1 (config-crypto-map)#set peer 10.1.12.2
R1 (config-crypto-map)#set transform-set R1-R2
R1 (config-crypto-map)#match address 150

R1 (config)#access-list 150 permit ip host 1.1.1.1 host 2.2.2.2

R1 (config)#interface gi0/0
R1 (config-if)#crypto map CM-R1-R2

Configuration on R2:

R2 (config)#crypto isakmp policy 10
R2 (config-isakmp)#encryption 3des
R2 (config-isakmp)#authentication pre-shared
R2 (config-isakmp)#hash md5
R2 (config-isakmp)#group 2

R2 (config)#crypto isakmp peer address 10.1.12.1
R2 (config-isakmp-peer)#set aggressive-mode client-endpoint ipv4-address 10.1.12.1
R2 (config-isakmp-peer)#set aggressive-mode password cisco

R2 (config)#crypto ipsec transform-set R1-R2 esp-3des esp-md5-hmac

R2 (config)#crypto map CM-R1-R2 10 ipsec-isakmp
R2 (config-crypto-map)#set peer 10.1.12.1
R2 (config-crypto-map)#set transform-set R1-R2
R2 (config-crypto-map)#match address 150

R2 (config)#access-list 150 permit ip host 2.2.2.2 host 1.1.1.1

R2 (config)#interface gi0/0
R2 (config-if)#crypto map CM-R1-R2

Verfication:

When the setup/configuration is finsihed you can verify through the following commands to see if it is successfully implemented:

#show crypto isakmp sa (YOU SHOULD SEE THAT THE TUNNEL IS UP)
#show crypto ipsec sa (VERIFIES THAT IPSEC SA HAS BEEN NEGOTIATED AND TUNNEL IS UP)
#show crypto ipsec sa identity
#show crypto ipsec sa address
#show crypto engine connections active

You can enable debugging to see the real 3 Messages exchange between the two end:

#debug crypto isakmp
#debug crypto ipsec

That’s It, your Tunnel is UP and you have your sessions/tunnel properly configured and showing UP.

Cheers,