Hello Anukalp,
Remote access IPSec VPN tunnels using Pre-shared-key for encryption use Aggressive Mode. Hence, once aggressive mode is disabled, you can either use Certificate Authentication of Remote IPSec users, which then becomes a six packet exchange VPN connection making it Main Mode.
To change the Phase-1 VPN negotiation mode from Aggressive to Main reconfigure ASA to authenticate the users using digitally signed certificates instead of preshared keys.
You can verify the mode used by using the 'show crypto isakmp sa' command. Also you can check the same at both ends of the tunnel. Both peers will show the mode (in phase I) as MM_ACTIVE. The "MM" here indicates Main Mode. If this were showing as AM_ACTIVE then it would mean Aggressive Mode - the AM_ACTIVE state denotes that Aggressive Mode was used to set up. Additionally, aggressive mode comes into picture when we have random peers. Main Mode cannot be used in configuration where the IP address of
a VPN endpoint may change (NAT) or when the IP address of a VPN endpoint is not known ahead of time (telecommuters). So Main Mode would be applicable for L2L vpn tunnels and Aggressive Mode would apply for Remote Access VPN.
Phase 1 ISAKMP negotiations can use either main mode or aggressive mode. Both provide the same services, but aggressive mode requires only two exchanges between the peers totaling 3 messages, rather than three exchanges totaling 6 messages. Aggressive mode is faster, but does not provide identity protection for the communicating parties. Therefore, the peers must exchange identification information prior to establishing a secure SA.
.Main mode is slower, using more exchanges, but it protects the identities of the
communicating peers.
.Aggressive mode is faster, but does not protect the identities of the peers.
For the Remote access which uses cisco vpn client , aggressive mode would always be used in case you are "not" using the certificates.
In other words, if you want to make sure that your remote access employs main mode, the
only way to achieve that is to use certificates for it. I would like to inform you that Aggressive mode is typically used in case of Easy VPN (EzVPN) ,with software (Cisco VPN Client) and hardware clients (Cisco ASA 5505 Adaptive Security Appliance or Cisco IOS(r) Software routers), but only when a pre-shared key is used. Unlike main mode, aggressive mode consists of three messages.
Therefore disabling aggressive mode wont affect your Site to Site tunnels but in case you
are using VPN Clients and are using pre-shared key for authentication and not the
certificates then you might not be able to connect your clients using Anyconnect or Cisco
IPSec Client to the ASA.
For using ipsec client you cannot disable the Aggressive mode if you are
using pre-shared key . you can disable Aggressive mode only of you are using
certificate based authentication
Please go through the link for disabling aggressive mode .
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.h
tml#wp1051341
I understand that the requirement is to change the Phase-1 VPN negotiation
mode from Aggressive to Main and thus, reconfigure ASA to authenticate the
users using digitally signed certificates instead of preshared keys.
You may refer the below mentioned link which provides an example of
configuring ASA and the Cisco VPN Remote Client to use digitally signed
certificates for authentication:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a0080930f21.shtml
Also, the following link provides the configuration example of configuring ASA for AnyConnect VPN using self signed certificate:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example091
86a00808efbd2.shtml
The below link details steps required for configuring AnyConnect VPN Client connections:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html
Hope this information helps. Please let me know if you have any further doubts.
Regards,
Jai Ganesh K
