Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
316
Views
0
Helpful
2
Replies

Is there any way to force SA negotiations to Main Mode?

d-garnett
Level 3
Level 3

‎12-24-2002 09:36 AM - edited ‎03-09-2019 01:29 AM

I have a 3005 set up at a central site

i recently set up a testing group to test pushing down split-tunneling and firewall policies. I debugged the output (using Log Viewer on the Cisco Software Client) only to find that the Client is only negotiating SA's in Aggresive Mode. I reviewed the Event Log of the Concentrator only to notice that all of the remote user VPN group connections (Software Client and EasyVPNRemote) were negotiating SA's in Aggresive Mode. Since i am using pre-shared keys, I would really like for them to establish the secure tunnel before they send their attributes. is there any way to force the Concentrator and Clients to negotiate in Main Mode only?

Labels:
0 Helpful
2 Replies 2

jfrahim
Level 5
Level 5

‎12-24-2002 09:46 AM

Hi d-garnett,

MM only gives you Identity protection. The isakmp proposals exchanged in the negotiations are not encrypted in both MM and AM. I am not sure what other attributes you are mentioning. Could you explain in more detail?

In any case, VPN client 3.x only support AM for the Preshared key tunnels and MM for Cert based tunnels

Hope that helps

Jazib

0 Helpful

d-garnett
Level 3
Level 3
In response to jfrahim

‎12-24-2002 08:38 PM

Thanks Jazib,

I did not know that the Client software can only negotiate in Aggresive mode when using Pre-Shared keys. As far as other attributes, i was mainly speaking of things like Vendor ID's

for example (from the 6th line of the debug)

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID)

Thanks again for the information.

0 Helpful
Customers Also Viewed These Support Documents