Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
3
Replies

VPN3000 Aggressive Mode

ccr_cisco
Level 1
Level 1

‎01-15-2007 07:03 AM

Hi,

Folowing security flaw existing in aggressive mode ipsec, Is there a way to deactivate aggresive mode on VPN3000 Concentrator. All my SAs are in main mode but it seems it still answer on aggressive handshake. (verify with tool like ike-scan)

If it's not possible to deactivate it can I mask the ID returned in the handshake has it is the private IP.

Thanks

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎01-16-2007 12:02 AM

Hi,

Go to:

Traffic Management | Security Associations

Edit them and under "IKE Parameters" select all to have Negociation as Main.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1556802

Please rate if this helped.

Regards,

Daniel

0 Helpful

ccr_cisco
Level 1
Level 1
In response to 5220

‎01-16-2007 02:44 AM

Hi,

All Negociation are "Main Mode" in "IKE Paramethers" but it still answer to Aggressive handshake.

An idea ?

0 Helpful

csimonson
Level 1
Level 1
In response to ccr_cisco

‎01-25-2007 08:24 AM

I too would like to know the best fix for this.

According to:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html

"When responding to IPSec session initialization, Cisco IOS? software

may use Aggressive Mode even if it has not been explicitly configured

to do so."

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents