Thanks a lot. It seems that there is no way to set the negotiation mode for a dynamic map in ASA. Is it correct?

Hi,

You can disable the Aggressive mode.

Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to establish tunnels to the security appliance. However, they may use certificate-based authentication (that is, ASA or RSA) to establish tunnels.

The following link gives you details of the same.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/ike.html#wp1051341

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

I'm referring to dynamic L2L tunnel. Do you have any info for the IKE negotation mode for this type of tunnel?

What do you mean by dynamic L2L tunnel?

Are you refering to EZVPN tunnel?

Regards,

Anisha

Ok, put it in a Cisco ASA context, it is the DefaultL2LGroup.

Hi,

I am still lost with your requirement.

if the ASA is in multiple context mode then one cannot terminate VPN on it.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1146698

Regards,

Anisha

I'm sorry to make you feel lost. Put it simple. is there any way to fix the negotiation mode in a dynamic map, i.e. either aggressive or main. Through your previous explanation, i know the remote peer/client will try aggressive first, then main, but I want it to be a fixed mode. Thanks!

Is it possible to set it via ASDM? Thanks!

I am not a ASDM person, am a CLI person.

I guess you can put the one command via CLI.

Regards,

Anisha