Impact of disabling IKE aggressive mode on Cisco VPN Client users?
We have a requirement to disable IKE aggressive mode. We are running an ASA v7 and I know how to do this ("isakmp am-disable") but I'm not sure what impact it will have on our existing VPN set-up.
We are using pre-shared keys.
We have remote offices (typically Cisco 800 series routers) which connect over IPSEC VPN with our head office and I'm pretty sure they are fine with main mode negotiation only (indeed, I have already disabled aggressive mode on these routers using "crypto isakmp aggressive-mode disable" with no adverse effects (as far as I know!)
However, we also have remote users that connect using the Cisco VPN client software and this is what I'm not so sure about. If I disable aggressive mode on the ASA, is there likely to be any impact on Cisco VPN Client software users? (We probably have a few versions of the VPN Client software out there but should all be at least v4)
Is there any way to determine (through the VPN Client logs) whether its using main mode or aggressive mode?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...