03-30-2022 08:02 AM - edited 03-31-2022 09:48 AM
Hi We have a router C2921. When tenable scan vulnerability, we got the following info. Not sure if its vpn configuration issue. Anyone can provide suggestions to resolve it? Thank you
of a VPN gateway and gain unauthorized access to private networks.
The remote Internet Key Exchange (IKE) version 1 service seems to
- Disable Aggressive Mode if supported.
Solved! Go to Solution.
03-30-2022 01:59 PM
as suggest you using MM - so you can delete :
crypto isakmp aggressive-mode disable
03-31-2022 08:55 AM
@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.
AM is legacy and generally only used for IKEv1 Remote Access VPN.
From your output you've confirmed your VPN are using MM, so AM is not in use.
03-30-2022 08:09 AM
Can you post the output :
show crypto ikev1 sa
03-30-2022 08:10 AM - edited 03-30-2022 08:13 AM
@Leftz it may show up as vulnerable in a report, but unless you have an IKEv1 remote access VPN it's likely not a problem.
Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable"
Use IKEv2 which does not use aggressive mode.
03-30-2022 08:44 AM
Thank you for your reply.
@balaji.bandi, command show crypto ikev2 sa shows nothing there. and command show crypto ikev1 sa cannot be used
@Rob Ingram, Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable" ---- Can this command impact something else?
03-30-2022 08:50 AM
can you post your config to look what tunnel configured here.
03-30-2022 08:53 AM
@Leftz use "show crypto isakmp sa" if "show crypto ikev1 sa" cannot be used.
As stated aggressive mode is only used with ikev1 remote access vpn. If you provide the output of "show crypto isakmp sa" it will determine whether Main Mode (MM) or Agressive Mode (AM) was used.
03-30-2022 12:43 PM
Please see the below:
A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)
03-30-2022 01:59 PM
as suggest you using MM - so you can delete :
crypto isakmp aggressive-mode disable
03-30-2022 02:18 PM
What aggressive mode should be like when using command show crypto isakmp sa? Thank you
03-31-2022 03:27 AM
The following four modes are found in IKE main mode
The following three modes are found in IKE aggressive mode
03-31-2022 08:50 AM
Thank you balaji. Can we say both modes: main mode and aggressive mode are enabled at the same time by default, or just have to be ONE mode enabled?
03-31-2022 08:55 AM
@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.
AM is legacy and generally only used for IKEv1 Remote Access VPN.
From your output you've confirmed your VPN are using MM, so AM is not in use.
04-06-2022 08:52 AM - edited 04-06-2022 08:54 AM
@Rob Ingram Thank you for your explanation!
Actually there are three kinds of mode in the device. MM, AM, and Quick mode. The QM is similar with AM. So in this device, can we still disable AM?
04-06-2022 09:04 AM - edited 04-06-2022 09:28 AM
@Leftz no that's incorrect AM is not simlar to QM. AM or MM are used in IKEv1 Phase 1 to form the IKE SA.
QM is used in Phase 2 to form the IPSec SA, which can only be established if the IKE SA has been successfully formed using MM/AM.
04-06-2022 01:04 PM - edited 04-06-2022 01:08 PM
Thank you Rob. You are right. Looks like "QM_IDLE" is only expression of active tunnel, but when it show "QM_IDLE" with command show crypto isakmp sa, how can we know if it is MM or AM since MA or AM can go into QM?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide