12-26-2017 07:07 PM - edited 03-12-2019 04:52 AM
My current Main mode IPsec VPN configuration on my ASA 8.2.5 as below
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 94.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map Outside_map 1 set nat-t-disable
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
!
tunnel-group 94.x.x.x type ipsec-l2l
tunnel-group 94.x.x.x ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
----------------------------
Now I want to convert in aggresive mode. Please help to convert it. Becuase Other end Fortigate is recomemended in aggresive mode.
Thanks,
Deepak Kumar
Solved! Go to Solution.
12-27-2017 03:17 AM
The ASA accepts by default main mode as well as aggressive mode. You can check this using show crypto isakmp sa. The output will indicate MM for Main Mode or AM for Aggressive Mode.
In order to force the ASA to use aggressive mode when initiating a connection you can use:
crypto map outside_map 1 set ikev1 phase1-mode aggressive
Considering the version you are running is pretty old, it could be that the command is a little bit different. (isakmp instead of ikev1)
Also keep in mind that Aggressive Mode does not provide identity protection.
12-27-2017 03:17 AM
The ASA accepts by default main mode as well as aggressive mode. You can check this using show crypto isakmp sa. The output will indicate MM for Main Mode or AM for Aggressive Mode.
In order to force the ASA to use aggressive mode when initiating a connection you can use:
crypto map outside_map 1 set ikev1 phase1-mode aggressive
Considering the version you are running is pretty old, it could be that the command is a little bit different. (isakmp instead of ikev1)
Also keep in mind that Aggressive Mode does not provide identity protection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide