Re: Disable aggressive mode

f.aoun · ‎11-03-2008

We wanted to know if there is a way to disable â€œAggressive modeâ€ on the VPN concentrator.

For example, on the ASA, we can do it using the command â€œisakmp am-disableâ€

On a router we can do it using the command â€œcrypto isakmp aggressive-mode disableâ€.

Is there a similar command on the VPN concentrator ?

Your help is appriciated.

dhananjoy chowdhury · ‎11-03-2008

On the VPN Concentrator Web consolgo to this paage,

Configuration > Policy Management > Traffic Management > Security Associations

select the IPSec SA created for the particular VPN session, then Modify

Go under IKE Parameters and then change the Negotiation Mode.

Hope this Helps.

f.aoun · ‎11-03-2008

Thx, Does this prevent a vpn client from using aggressive mode. From the tests it seems that it still can access using aggressive mode (is it normal)? (using preshared).

dhananjoy chowdhury · ‎11-03-2008

The setting I had mentioned is only for a particular L2L IPSEC tunnel.

ajagadee · ‎11-03-2008

Fadi,

Are you using Pre-Shared Keys or Certificates for Authentication. Please refer the below link for information on VPN Client AM and MM.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet090

0aecd801a9de9.html

Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.

So, it is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN3000 with pre-shared keys.

Regards,

Arul

*Pls rate if it helps*