VPN Configured With Aggressive Mode Enabled

Answered Question
May 10th, 2010

Hi,

Can anyone tell me whatthe above message means and how to resolve it.

Thanks

I have this problem too.
0 votes
Correct Answer by coto.fusionet about 3 years 11 months ago

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
coto.fusionet Mon, 05/10/2010 - 06:50

Hi,

Both Main Mode and Aggresive Mode are IKE Phase 1 exchange methods.
Main mode is the default and recommended (more secure) exchange method because it consists of six exchange messages.
Aggresive mode squeezes the IKE SA negotiation in three packets.

You can configure the device to use aggresive mode if needed or disable it.
What device are we talking about?

Federico.

networker101 Mon, 05/10/2010 - 07:17

Hi,

This is on the ASA5520, how can i change them to normal mode?

Thanks

Ellech

coto.fusionet Mon, 05/10/2010 - 07:22

crypto isakmp am-disable
The above command disable inbound aggresive mode connections

Please rate helpful posts.

Federico.

Correct Answer
coto.fusionet Mon, 05/10/2010 - 08:14

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.

Actions

Login or Register to take actions

This Discussion

Posted May 10, 2010 at 5:06 AM
Stats:
Replies:5 Avg. Rating:5
Views:1369 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard