11-25-2008 03:37 AM - edited 03-11-2019 07:17 AM
We have a requirement to disable IKE aggressive mode. We are running an ASA v7 and I know how to do this ("isakmp am-disable") but I'm not sure what impact it will have on our existing VPN set-up.
We are using pre-shared keys.
We have remote offices (typically Cisco 800 series routers) which connect over IPSEC VPN with our head office and I'm pretty sure they are fine with main mode negotiation only (indeed, I have already disabled aggressive mode on these routers using "crypto isakmp aggressive-mode disable" with no adverse effects (as far as I know!)
However, we also have remote users that connect using the Cisco VPN client software and this is what I'm not so sure about. If I disable aggressive mode on the ASA, is there likely to be any impact on Cisco VPN Client software users? (We probably have a few versions of the VPN Client software out there but should all be at least v4)
Is there any way to determine (through the VPN Client logs) whether its using main mode or aggressive mode?
Thanks.
11-25-2008 04:38 AM
VPN clients ONLY use aggressive mode. That's
just the way it is. If you want to use Main
Mode in remote access clients, use other
vendors besides Cisco
12-26-2012 11:59 PM
does cisco any connect ssl vpn still use aggressive mode?
08-09-2016 09:14 AM
I have Cisco ASA running IKE aggressive mode. My questions are below.
Would it be service affecting if aggressive mode disables?
How can i change IKE to Main mode ?
Does it mean that remote end ASA also requires to have aggressive mode disable?
Is it service affecting task?
Thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: