cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1481
Views
0
Helpful
6
Replies

IKE Aggressive Mode on VPN3K

dknov
Level 3
Level 3

Hi,

I have VPN 3005 with 4.7.2 OS (latest one to date). I am looking to disable Aggressive Mode processing (stick to Main Mode only) for Remove VPN clients. Please note, Remote VPN clients and NOT LAN-to-LAN connections.

So far I cannot see how this can be done.

TAC engineer is not coming up with good answers as well.

Anyhow has an idea?

Thanks!

David

1 Accepted Solution

Accepted Solutions

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:

"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"

View solution in original post

6 Replies 6

michael.leblanc
Level 4
Level 4

I'm not familiar with the hardware you are using, but sometimes knowing the commands used on one platform can help you figure out what is required on another.

In an IOS environment, the following command would accomplish the desired result:

#crypto isakmp aggressive-mode disable

Unfortunately, that's the best I can do.

Configuration | Policy Management | Traffic Management | Security Associations | Modify

this will allow to select whether you want to have IKE in either aggressive or Main

mode. The default mode is "Main"

Hi,

Thank you for your response, however this setting impacts only LAN-to-LAN tunnels and have no effect on Remote Access VPN, which is what I need (I had already verified this option)

Thanks,

David

I don't think you can make Remote Access VPN on

the Concentrator work with Main mode, unless

you decide to use Certificate instead of

pre-shared key:

"The Cisco VPN client uses aggressive mode if preshared keys are used and uses main mode when public key infrastructure (PKI) is used during Phase 1 of the tunnel negotiations. After bringing up the Internet Security Association and Key Management Protocol Security Association (ISAKMP SA) for secure communication, the Cisco VPN 3000 concentrator prompts the user to specify the user credentials. In this phase, also known as X-Auth or extended authentication, the VPN 3000 concentrator validates the user against the configured authentication database. If the user authentication is successful, the Cisco concentrator sends a successful authentication message back to the client. After X-Auth, the Cisco VPN client requests configuration parameters such as the assigned IP address, the Domain Name System (DNS) server's IP address, and the Windows Internet Naming Service (WINS) server's IP address. During this phase, known as mode-config, the VPN 3000 concentrator sends the configured parameters back to the client. The final step for a successful VPN tunnel is the negotiation of Phase 2 parameters"

Thanks a lot. I was looking for this statement from Cisco on VPN3K not being able to handle Main Mode with XAUTH....

Can you send me the link you took this from?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: