cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6564
Views
10
Helpful
3
Replies

VPN Aggressive mode where are you?

dc_specialist
Level 1
Level 1

Hello,

 

I am using an ASA 5545 with a 9.8(2)38 IOS and during an audit using Nipper I got flagged for aggressive mode being enabled.

I can't find AM or aggressive (or MM or Main Mode) anywhere in the show run or the sh crypto isakmp sa detail. 

So how do I know for sure my VPN is using aggressive mode or not?

 

Thanks

 

3 Replies 3

Hi,

The command "crypto ikev1 am-disable" disables aggressive mode, if you don't see this command in your configuration then aggressive mode is enabled. To enable it you use "no crypto ikev1 am-disable" < this is on by default, it is NOT displayed in the configuration.

 

Use "show crypto isakmp sa" and check the state, which is probably MM_ACTIVE - which means it used Main Mode. If not using Main Mode, it would start AM_ for aggressive mode.

 

ASA-2(config-tunnel-ipsec)# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE

 

Hello RJI,

 

I notice you have that 

show crypto isakmp sa

 inside of the config mode. I am looking for a command I can just run from privileged mode. I'm not the main Cisco person and I am just looking to verify without taking the chance of messing up a config.

 

Using show crypto isakmp sa I do see that my ASA is the initiator but I don't see State : anywhere.

Just curious if this is the default and my ASA is accepting Main Mode or Aggressive Mode connections.

Thanks 

Perhaps you don't have the rights to view the entire output. Perhaps get full rights and run the command again, the "show" command will not mess anything up.

If you have permissions to run a debug, you could run "debug crypto isakmp" or "debug crypto ikev1" and observe the establishment of an IKE SA, if it has MM_ACTIVE, MM_WAIT_MSG or MM_KEY_EXCH in the output then the VPN is being established with Main Mode.

If you don't have "crypto ikev1 am-disable" in the running configuration, then it's likely aggressive mode is enabled. It's also likely that main mode is used for the VPNs.

HTH
Review Cisco Networking for a $25 gift card