VPN Main Mode or Aggressive Mode

Unanswered Question


I have an ASA 5510 configure for remote VPN Client and site to site VPN (ASA 5505 to ASA 5510).

One of my customer's want to establish site to site VPN to my network , but it is not Working (no CISCO firewall).

He tell me if it possible to change my VPN configuration. He want to using VPN aggressive Mode instead Main Mode

1) How to configure aggressive mode ?

2) If i activate aggressive mode, can i have problem with my remote VPN ?

Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Difan Zhao Thu, 02/19/2009 - 13:02
User Badges:

By default the ASA uses aggressive mode...

Do you see this command in your running config?

crypto isakmp am-disable

If you do see it then your ASA is using Main mode. Run "no crypto isakmp am-disable" to use aggressive mode

The change is a global change. After it your remote VPN users will need to use aggressive mode too but I don't think you need to reconfigure anything on their VPN client.

Patrick0711 Mon, 03/02/2009 - 20:59
User Badges:
  • Bronze, 100 points or more

1.) crypto map {map name}{#} set phase1-mode aggressive

2.) Aggressive mode uses 3 exchanges instead of the 6 used in main mode to establish the ISAKMP SA.

The devices will exchange their SA parameters, DH key&nonce value, and their ISAKMP identity in a single exchange.


This Discussion