05-23-2008 12:30 PM - edited 03-09-2019 08:46 PM
Hi,
I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.
So far I cannot see how this can be done.
TAC engineer is not coming up with good answers as well.
Anyhow has an idea?
Thanks!
David
Solved! Go to Solution.
05-27-2008 03:44 AM
I don't think you can make Remote Access VPN on
the Concentrator work with Main mode, unless
you decide to use Certificate instead of
pre-shared key:
"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"
05-23-2008 04:47 PM
I'm not familiar with the hardware you are using, but sometimes knowing the commands used on one platform can help you figure out what is required on another.
In an IOS environment, the following command would accomplish the desired result:
#crypto isakmp aggressive-mode disable
Unfortunately, that's the best I can do.
05-26-2008 05:41 PM
Configuration | Policy Management | Traffic Management | Security Associations | Modify
this will allow to select whether you want to have IKE in either aggressive or Main
mode. The default mode is "Main"
05-26-2008 07:27 PM
Hi,
Thank you for your response, however this setting impacts only LAN-to-LAN tunnels and have no effect on Remote Access VPN, which is what I need (I had already verified this option)
Thanks,
David
05-27-2008 03:44 AM
I don't think you can make Remote Access VPN on
the Concentrator work with Main mode, unless
you decide to use Certificate instead of
pre-shared key:
"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"
05-27-2008 11:20 AM
Thanks a lot. I was looking for this statement from Cisco on VPN3K not being able to handle Main Mode with XAUTH....
Can you send me the link you took this from?
05-27-2008 11:30 AM
http://safari.oreilly.com/1587052253/ch06
CCIE Security
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: