Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
27630
Views
0
Helpful
2
Replies

VPN Main Mode or Aggressive Mode

phiz.petry
Level 1
Level 1

‎02-19-2009 12:42 PM

Hello,

I have an ASA 5510 configure for remote VPN Client and site to site VPN (ASA 5505 to ASA 5510).

One of my customer's want to establish site to site VPN to my network , but it is not Working (no CISCO firewall).

He tell me if it possible to change my VPN configuration. He want to using VPN aggressive Mode instead Main Mode

1) How to configure aggressive mode ?

2) If i activate aggressive mode, can i have problem with my remote VPN ?

Thanks for your help

Labels:
0 Helpful
2 Replies 2

Difan Zhao
Level 5
Level 5

‎02-19-2009 01:02 PM

By default the ASA uses aggressive mode...

Do you see this command in your running config?

crypto isakmp am-disable

If you do see it then your ASA is using Main mode. Run "no crypto isakmp am-disable" to use aggressive mode

The change is a global change. After it your remote VPN users will need to use aggressive mode too but I don't think you need to reconfigure anything on their VPN client.

0 Helpful

Patrick0711
Level 3
Level 3

‎03-02-2009 08:59 PM

1.) crypto map {map name}{#} set phase1-mode aggressive

2.) Aggressive mode uses 3 exchanges instead of the 6 used in main mode to establish the ISAKMP SA.

The devices will exchange their SA parameters, DH key&nonce value, and their ISAKMP identity in a single exchange.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents