cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5223
Views
5
Helpful
3
Replies
Highlighted
Beginner

To disable Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key

Hi,

I have router configuration as below. 

During vulnerability scanning, it was flagged out with finding as "Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key". Recommendation is to disable Aggressive Mode.

From link below, I noticed that I can disable Aggressive mode with "crypto isakmp aggressive-mode disable" command. 

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.pdf

Is this what I need to do in order to address the VA finding? 

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2

crypto ipsec security-association lifetime kilobytes 10000
crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel

crypto isakmp key ABC$123#99 address 10.10.10.1

crypto map SITEA-to-SITEB-VPN 20 ipsec-isakmp
set peer 10.10.10.1
set transform-set aes
match address 120

interface FastEthernet0/0
ip address 198.10.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
duplex full
speed 100
crypto map SITEA-to-SITEB-VPN

access-list 120 permit ip 192.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

If that's the full IPsec

If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.

View solution in original post

3 REPLIES 3
VIP Mentor

If that's the full IPsec

If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.

View solution in original post

Beginner

Hi,

Hi,

Just manage to test the statement, work like a charm. 

Beginner

Add On: 

Add On: 

After disable Aggressive Mode, there will be a lot of message in router log, eg 

"%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled"

Can use log discriminator to filter out the log. 

1) Configure a discriminator: 
logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED 
2) Apply it to logging buffer:
logging buffered discriminator IKMP-AG 4096

Reference: http://asame2.blogspot.sg/2015/12/crypto-5-ikmpagmodedisabled-unable-to.html