Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2540
Views
5
Helpful
1
Replies

Disabling aggressive mode on site-to-site VPN

Colin Higgins
Level 2
Level 2

‎05-14-2014 07:16 AM

I have a site-to-site VPN tunnel set up between two ASA firewalls, but I need to disable aggressive mode for security reasons.

 

This is a pretty standard setup, with AES256, pre-shared keys, etc. No pfs.

 

When I do a "show crypto ipsec sa detail" I don't see any references to aggressive mode in there.

 

If I disable this in order to go to strict main-mode, will it break the vpn?

1 person had this problem
Labels:
0 Helpful
1 Reply 1

kevin_giusti
Level 1
Level 1

‎05-14-2014 04:09 PM

The command to disable aggressive mode is "crypto ikev1 am-disable"

For good measure you may want to use group 5 in your crypto ikev1 policy.

Disabling aggressive mode *shouldn't* drop your VPN connection but it would still probably be best to do it after hours just in case.

Kevin

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents