02-19-2009 12:42 PM
Hello,
I have an ASA 5510 configure for remote VPN Client and site to site VPN (ASA 5505 to ASA 5510).
One of my customer's want to establish site to site VPN to my network , but it is not Working (no CISCO firewall).
He tell me if it possible to change my VPN configuration. He want to using VPN aggressive Mode instead Main Mode
1) How to configure aggressive mode ?
2) If i activate aggressive mode, can i have problem with my remote VPN ?
Thanks for your help
02-19-2009 01:02 PM
By default the ASA uses aggressive mode...
Do you see this command in your running config?
crypto isakmp am-disable
If you do see it then your ASA is using Main mode. Run "no crypto isakmp am-disable" to use aggressive mode
The change is a global change. After it your remote VPN users will need to use aggressive mode too but I don't think you need to reconfigure anything on their VPN client.
03-02-2009 08:59 PM
1.) crypto map {map name}{#} set phase1-mode aggressive
2.) Aggressive mode uses 3 exchanges instead of the 6 used in main mode to establish the ISAKMP SA.
The devices will exchange their SA parameters, DH key&nonce value, and their ISAKMP identity in a single exchange.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide