IKE Aggressive Mode on VPN3K

Answered Question
May 23rd, 2008

Hi,

I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.

So far I cannot see how this can be done.

TAC engineer is not coming up with good answers as well.

Anyhow has an idea?

Thanks!

David

I have this problem too.
0 votes
Correct Answer by cisco24x7 about 8 years 8 months ago

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:

"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.leblanc Fri, 05/23/2008 - 16:47

I'm not familiar with the hardware you are using, but sometimes knowing the commands used on one platform can help you figure out what is required on another.

In an IOS environment, the following command would accomplish the desired result:

#crypto isakmp aggressive-mode disable

Unfortunately, that's the best I can do.

cisco24x7 Mon, 05/26/2008 - 17:41

Configuration | Policy Management | Traffic Management | Security Associations | Modify

this will allow to select whether you want to have IKE in either aggressive or Main

mode. The default mode is "Main"

dknov Mon, 05/26/2008 - 19:27

Hi,

Thank you for your response, however this setting impacts only LAN-to-LAN tunnels and have no effect on Remote Access VPN, which is what I need (I had already verified this option)

Thanks,

David

Correct Answer
cisco24x7 Tue, 05/27/2008 - 03:44

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:

"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"

dknov Tue, 05/27/2008 - 11:20

Thanks a lot. I was looking for this statement from Cisco on VPN3K not being able to handle Main Mode with XAUTH....

Can you send me the link you took this from?

Actions

This Discussion