Solved: Aggressive Mode IKE

bill.baxter · ‎05-21-2012

We used to use IPSEC VPN, but now use Anyconnect SSL VPN. We have a third party scan our firewall externally, and they are recommending that we disable Aggressive Mode IKE. Is this only used for IPSec VPN's? Is it safe to remove this from our configuration on our ASA 5505?

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Thank You.

Vishnu Sharma · ‎05-21-2012

Hi Bill,

The aggresive mode (3 pkt exchange) is only used for the IPsec remote access. The site to site VPN uses main mode (6 pkt exchange). If you do not have any site to site VPN you can disable these commands however if you do have site to site VPN then removing these will break them.

There is nothing called aggressive mode in Anyconnect. Anyconnect uses a totally different protocol called SSL (TCP/UDP port 443).

Hope this answers your question.

Thanks,

Vishnu Sharma

View solution in original post

Vishnu Sharma · ‎05-21-2012