Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5353
Views
0
Helpful
4
Replies

Does Anyconnect Ikev2 uses Aggressive Mode

Go to solution
mahesh18
Level 6
Level 6

‎05-01-2015 01:42 PM - edited ‎02-21-2020 08:12 PM

 

Hi Everyone,

 

I am trying to fix the IKE Aggressive mode with PSK vulnerabilities on our Cisco ASA which is running Old IPsec and Anyconnect Ikev2 VPN.

When i run the command

sh crypto isakmp sa

User using IPSEC VPN

IKEv1 SAs:

   Active SA: 25
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 25

1   IKE Peer: 63.226..x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

So here it tells me that this VPN client is using Aggressive mode right?

 

User using anyconnect IKEV2

sh crypto isakmp sa

17  IKE Peer: 192.206..x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
 

 

IKEv2 SAs:

Session-id:361, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
1696279645      x.x.x.x/4500  192.206..x.x/33328      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: EAP
      Life/Active Time: 86400/24756 sec
Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535
          remote selector 172.16..x.x.144/0 - 172.16.x.x/65535
          ESP spi in/out: 0xa315b767/0xbec2f7cc

 

Need to know anyconnect ikev2 does not share any pre share key then why line number 17 shows AM(Aggressive mode)?

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jorge Salas
Cisco Employee
Cisco Employee

‎05-01-2015 04:04 PM

The ikev2 protocol has nothing to do with aggressive mode or main mode at all.

 

If you do a "sh crypto isa" it will show you the ikev1 sa and the ikev2 sa.

 

if you still see a flow in the table maybe it is a stuck session.

To disable aggressive mode, enter the following command:

crypto ikev1 am-disable

For example:

hostname(config)# crypto ikev1 am-disable

View solution in original post

0 Helpful

Go to solution
Jorge Salas
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-01-2015 05:59 PM

L2L tunnels uses MainMode by default. Probably you will not select a L2L using aggressive mode due security reasons.

 

If you disable AM, all the legacy ipsec vpn client using pre-share key will not be able to connect. I you want to use MainMode for remote ikev1 you should use certificate authentication.

 

Check this:

http://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html

 

Q. How can I configure the Cisco VPN Client to connect in main mode, instead of aggressive mode?

 

A. You must use digital signatures (certificates) in order to allow Cisco VPN Client to connect in main mode

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jorge Salas
Cisco Employee
Cisco Employee

‎05-01-2015 04:04 PM

The ikev2 protocol has nothing to do with aggressive mode or main mode at all.

 

If you do a "sh crypto isa" it will show you the ikev1 sa and the ikev2 sa.

 

if you still see a flow in the table maybe it is a stuck session.

To disable aggressive mode, enter the following command:

crypto ikev1 am-disable

For example:

hostname(config)# crypto ikev1 am-disable

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jorge Salas

‎05-01-2015 04:32 PM

 

Hi Jorge,

 

First of all Thanks for reply.

If I disable the aggressive mode as told by you will it cause any outage or any other config change?

Will new VPN users and Lan to Lan VPN tunnel will work fine with main mode?

Regards

Mahesh

0 Helpful

Go to solution
Jorge Salas
Cisco Employee
Cisco Employee
In response to mahesh18

‎05-01-2015 05:59 PM

L2L tunnels uses MainMode by default. Probably you will not select a L2L using aggressive mode due security reasons.

 

If you disable AM, all the legacy ipsec vpn client using pre-share key will not be able to connect. I you want to use MainMode for remote ikev1 you should use certificate authentication.

 

Check this:

http://www.cisco.com/c/en/us/support/docs/security/vpn-client/45102-vpnclientfaq.html

 

Q. How can I configure the Cisco VPN Client to connect in main mode, instead of aggressive mode?

 

A. You must use digital signatures (certificates) in order to allow Cisco VPN Client to connect in main mode

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jorge Salas

‎05-02-2015 07:31 AM

 

Hi jorge,

 

Seems that connection was in stuck state.

Today i tested by anyconnect from home and it only shows in IKEV2.

 

Many thanks and Best Regards for this Valuable info.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents