05-01-2015 01:42 PM - edited 02-21-2020 08:12 PM
Hi Everyone,
I am trying to fix the IKE Aggressive mode with PSK vulnerabilities on our Cisco ASA which is running Old IPsec and Anyconnect Ikev2 VPN.
When i run the command
sh crypto isakmp sa
User using IPSEC VPN
IKEv1 SAs:
Active SA: 25
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 25
1 IKE Peer: 63.226..x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
So here it tells me that this VPN client is using Aggressive mode right?
User using anyconnect IKEV2
sh crypto isakmp sa
17 IKE Peer: 192.206..x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
IKEv2 SAs:
Session-id:361, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1696279645 x.x.x.x/4500 192.206..x.x/33328 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: EAP
Life/Active Time: 86400/24756 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 172.16..x.x.144/0 - 172.16.x.x/65535
ESP spi in/out: 0xa315b767/0xbec2f7cc
Need to know anyconnect ikev2 does not share any pre share key then why line number 17 shows AM(Aggressive mode)?
Solved! Go to Solution.
05-01-2015 04:04 PM
The ikev2 protocol has nothing to do with aggressive mode or main mode at all.
If you do a "sh crypto isa" it will show you the ikev1 sa and the ikev2 sa.
if you still see a flow in the table maybe it is a stuck session.
To disable aggressive mode, enter the following command:
crypto ikev1 am-disable
For example:
hostname(config)# crypto ikev1 am-disable
05-01-2015 05:59 PM
L2L tunnels uses MainMode by default. Probably you will not select a L2L using aggressive mode due security reasons.
If you disable AM, all the legacy ipsec vpn client using pre-share key will not be able to connect. I you want to use MainMode for remote ikev1 you should use certificate authentication.
Check this:
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html
A. You must use digital signatures (certificates) in order to allow Cisco VPN Client to connect in main mode
05-01-2015 04:04 PM
The ikev2 protocol has nothing to do with aggressive mode or main mode at all.
If you do a "sh crypto isa" it will show you the ikev1 sa and the ikev2 sa.
if you still see a flow in the table maybe it is a stuck session.
To disable aggressive mode, enter the following command:
crypto ikev1 am-disable
For example:
hostname(config)# crypto ikev1 am-disable
05-01-2015 04:32 PM
Hi Jorge,
First of all Thanks for reply.
If I disable the aggressive mode as told by you will it cause any outage or any other config change?
Will new VPN users and Lan to Lan VPN tunnel will work fine with main mode?
Regards
Mahesh
05-01-2015 05:59 PM
L2L tunnels uses MainMode by default. Probably you will not select a L2L using aggressive mode due security reasons.
If you disable AM, all the legacy ipsec vpn client using pre-share key will not be able to connect. I you want to use MainMode for remote ikev1 you should use certificate authentication.
Check this:
http://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html
A. You must use digital signatures (certificates) in order to allow Cisco VPN Client to connect in main mode
05-02-2015 07:31 AM
Hi jorge,
Seems that connection was in stuck state.
Today i tested by anyconnect from home and it only shows in IKEV2.
Many thanks and Best Regards for this Valuable info.
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide