Exchange-mode – Enterasys Networks X-Pedition XSR CLI User Manual

Remote Peer ISAKMP Protocol Policy Mode Commands

XSR CLI Reference Guide 14-101

Default

Disabled

Mode

Remote Peer ISAKMP protocol policy configuration: 

XSR(config-isakmp-peer)#

Example

The following example configures the IKE IP address assignment mode to client:

XSR(config)#crypto isakmp peer 2.2.2.2 255.255.255.0
XSR(config-isakmp-peer)#config-mode client

exchange-mode

This command sets IKE to main or aggressive exchange mode.

Syntax

exchange-mode {main | aggressive}

Syntax of the “no” Form

The no form of this command resets the exchange mode to the default:

no exchange-mode

Default

Aggressive mode

Mode

Remote Peer ISAKMP protocol policy configuration: 

XSR(config-isakmp-peer)#

Example

The following example configures the IKE mode to main:

XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255

Notes: It is useful to specify a user ID instead of an IP address when configuring an SA in
aggressive mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no
ID, its IP address will be used by default. But, in that case, you will have to re-configure (with a new
entry in the aaa user database) both ends of the tunnel every time the address changes. Use the
user-id command instead.

Due to the vulnerability of pre-shared keys on VPN devices using aggressive mode tunnels,
Enterasys Networks recommends instead using a certificate or employing a very long password
which is not listed in a dictionary.

main

IKE exchange mode set to main mode.

aggressive

IKE exchange mode set to aggressive mode.