We have discovered a [new] feature [new to us] that allows ISAKMP to run in non-aggressive mode and authenticate each peer while at the same time, blocks (drops) request for aggressive mode connections - mainly from remote clients. It seems this is a good fast way to completely block connections trying to avoid authentication.
While utilizing Wireshark and (monitoring the egress switch port) renegotiating the link is milliseconds. Seems to work very fast.
Are there pitfalls or drawbacks to using the non-aggressive mode?
Are there additional features similar to non-aggressive mode we could implement to assist in securing our DMVPN IPsec setup?