Disable aggressive mode

Unanswered Question
Nov 3rd, 2008
User Badges:

We wanted to know if there is a way to disable “Aggressive mode” on the VPN concentrator.


For example, on the ASA, we can do it using the command “isakmp am-disable”


On a router we can do it using the command “crypto isakmp aggressive-mode disable”.


Is there a similar command on the VPN concentrator ?

Your help is appriciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dhananjoy chowdhury Mon, 11/03/2008 - 04:10
User Badges:
  • Silver, 250 points or more

On the VPN Concentrator Web consolgo to this paage,

Configuration > Policy Management > Traffic Management > Security Associations


select the IPSec SA created for the particular VPN session, then Modify


Go under IKE Parameters and then change the Negotiation Mode.


Hope this Helps.

f.aoun Mon, 11/03/2008 - 05:27
User Badges:

Thx, Does this prevent a vpn client from using aggressive mode. From the tests it seems that it still can access using aggressive mode (is it normal)? (using preshared).

dhananjoy chowdhury Mon, 11/03/2008 - 07:12
User Badges:
  • Silver, 250 points or more

The setting I had mentioned is only for a particular L2L IPSEC tunnel.

ajagadee Mon, 11/03/2008 - 10:48
User Badges:
  • Cisco Employee,

Fadi,


Are you using Pre-Shared Keys or Certificates for Authentication. Please refer the below link for information on VPN Client AM and MM.


http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_data_sheet090

0aecd801a9de9.html


Aggressive Mode is the default and the only mode available for Pre-shared key and Main Mode is only available for the Cert authentication.


So, it is my understanding that it is not possible for VPN clients to use main mode to authenticate to the VPN3000 with pre-shared keys.


Regards,

Arul


*Pls rate if it helps*





Actions

This Discussion