Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15281
Views
5
Helpful
3
Replies

To disable Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key

Go to solution
limlayhin
Level 1
Level 1

‎01-06-2017 12:05 AM

Hi,

I have router configuration as below. 

During vulnerability scanning, it was flagged out with finding as "Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key". Recommendation is to disable Aggressive Mode.

From link below, I noticed that I can disable Aggressive mode with "crypto isakmp aggressive-mode disable" command. 

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.pdf

Is this what I need to do in order to address the VA finding? 

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2

crypto ipsec security-association lifetime kilobytes 10000
crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel

crypto isakmp key ABC$123#99 address 10.10.10.1

crypto map SITEA-to-SITEB-VPN 20 ipsec-isakmp
set peer 10.10.10.1
set transform-set aes
match address 120

interface FastEthernet0/0
ip address 198.10.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
duplex full
speed 100
crypto map SITEA-to-SITEB-VPN

access-list 120 permit ip 192.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-06-2017 12:52 AM

If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.

View solution in original post

3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎01-06-2017 12:52 AM

If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.

Go to solution
limlayhin
Level 1
Level 1
In response to Karsten Iwen

‎01-11-2017 02:50 AM

Hi,

Just manage to test the statement, work like a charm. 

0 Helpful

Go to solution
limlayhin
Level 1
Level 1
In response to limlayhin

‎01-18-2017 05:21 PM

Add On: 

After disable Aggressive Mode, there will be a lot of message in router log, eg 

"%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled"

Can use log discriminator to filter out the log. 

1) Configure a discriminator: 
logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED 
2) Apply it to logging buffer:
logging buffered discriminator IKMP-AG 4096

Reference: http://asame2.blogspot.sg/2015/12/crypto-5-ikmpagmodedisabled-unable-to.html

0 Helpful
Customers Also Viewed These Support Documents