ASA and Aggressive-Mode

david.tran · ‎01-09-2013

Hi,

I do not have an ASA to test so I have to folks in this forum. It would be helpful if folks have done this before or can test this to give me a definitive answer.

I have Cisco ASR 1002, code XE 3.4.1 doing site-2-site VPN with an ASA managed by another company that I have no control over running 8.3 (I think).

the site-2-site vpn is very easy straight forward as follows:

ip access-list extended companyX

permit ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255

crypto isakmp key cciesec address 1.1.1.1 no-xauth

crypto isakmp policy 10

authen pre

hash sha

group 5

encr aes 256

life 86400

crypto isakmp aggressive-mode disable

no crypto ipsec nat-t udp-en

crypto ipsec transform tset esp aes-256 esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

match address companyX

set peer 1.1.1.1

set pfs group5

set trans tset

set security life second 3600

interface g0/0/0

crypto map vpn

So I disable VPN aggressive mode on the ASR router, only main-mode is allowed. I have no idea how the ASA is configured. The site-2-site VPN is working fine "most of the time". Sometimes, application folks reported that network 192.168.1.0/24 can not communicate with network 10.0.1.0/24.

When the VPN tunnel is not working I am seeing this in the ASR log:

000927: Jan 8 02:47:20.535 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

000928: Jan 8 05:33:24.726 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

000929: Jan 8 10:04:25.026 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

000930: Jan 8 11:12:55.819 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

I know the Agressive-Mode on the ASA can be turned off with "crypto isakmp am-disable" but I do not control the ASA

Does this mean that the ASA, by default, enable Aggressive Mode? Without turning it off, will it cause issue with my site-2-site VPN because the ASR does not allow aggressive mode?

Thanks,

Mariusz Bochen · ‎01-09-2013

Hi David,

Yes, by default ASA uses the aggressive mode and you have to have the same mode on both ends.

I would recommend to use aggressive mode, unless you're going to use certificate-based authentication. I had that problem with remote VPN where I couldn't disable aggressive mode on ASA.

Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to establish tunnels to the security appliance. However, they may use certificate-based authentication (that is, ASA or RSA) to establish tunnels.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1051341

On the ASR 1002 the AM is disabled by default so you need:

no crypto isakmp aggressive-mode disable

Regards

Mariusz

david.tran · ‎01-09-2013

1- I am not using remote access VPN (vpn clients) so I don't care about this.

2- I am not sure where you've been the past five years but using Aggressive Mode is NOT recommended. There are "known" vulnerabilities with Aggressive Mode. This is well documented. That's why Main-Mode is the recommended approach (3 packets for AM versus 6 packets for MM).

Am I wrong? I thought Aggressive Mode is the thing of the past especially when it comes to site-2-site VPN.

Mariusz Bochen · ‎01-09-2013

I know the Aggressive Mode is less secure and I know the difference between them. The reason I was recomending this was the preshared authentication issue which looks like doesn't apply for l2l VPN, just for remote one. My mistake.

If that's the case then you just need (or get the other company rather) to change mode on the ASA to main.

david.tran · ‎01-09-2013

Thank you.

which bring back to my original question. What will happen if the ASA is left as default to use Aggressive Mode while the ASR is configured ONLY for Main Mode?

I wish I have an ASA to test this but I don't so I have to ask for folks who have setup like this. Will the L2L VPN tunnel have issue because of this?