Support User Manuals

Enterasys Networks XSR CLI Router User Manual

Open as PDF

of 684

Remote Peer ISAKMP Protocol Policy Mode Commands

XSR CLI Reference Guide 14-101

Default

Disabled

Mode

RemotePeerISAKMPprotocolpolicyconfiguration:XSR(config-isakmp-peer)#

Example

ThefollowingexampleconfigurestheIKEIPaddressassignmentmodetoclient:

XSR(config)#crypto isakmp peer 2.2.2.2 255.255.255.0

XSR(config-isakmp-peer)#config-mode client

exchange-mode

ThiscommandsetsIKEtomainoraggressiveexchangemode.

Syntax

exchange-mode {main | aggressive}

Syntax of the “no” Form

Thenoformofthiscommandresetstheexchangemodetothedefault:

no exchange-mode

Default

Aggressivemode

Mode

RemotePeerISAKMPprotocolpolicyconfiguration:XSR(config-isakmp-peer)#

Example

ThefollowingexampleconfigurestheIKEmodetomain:

XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255

Notes: It is useful to specify a user ID instead of an IP address when configuring an SA in

aggressive mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no

ID, its IP address will be used by default. But, in that case, you will have to re-configure (with a new

entry in the aaa user database) both ends of the tunnel every time the address changes. Use the

user-id <string> command instead.

Due to the vulnerability of pre-shared keys on VPN devices using aggressive mode tunnels,

Enterasys Networks recommends instead using a certificate or employing a very long password

which is not listed in a dictionary.

main

IKEexchangemodesettomainmode.

aggressive

IKEexchangemodesettoaggressivemode.

previous next