Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is there any way to force SA negotiations to Main Mode?

I have a 3005 set up at a central site

i recently set up a testing group to test pushing down split-tunneling and firewall policies. I debugged the output (using Log Viewer on the Cisco Software Client) only to find that the Client is only negotiating SA's in Aggresive Mode. I reviewed the Event Log of the Concentrator only to notice that all of the remote user VPN group connections (Software Client and EasyVPNRemote) were negotiating SA's in Aggresive Mode. Since i am using pre-shared keys, I would really like for them to establish the secure tunnel before they send their attributes. is there any way to force the Concentrator and Clients to negotiate in Main Mode only?

2 REPLIES
Bronze

Re: Is there any way to force SA negotiations to Main Mode?

Hi d-garnett,

MM only gives you Identity protection. The isakmp proposals exchanged in the negotiations are not encrypted in both MM and AM. I am not sure what other attributes you are mentioning. Could you explain in more detail?

In any case, VPN client 3.x only support AM for the Preshared key tunnels and MM for Cert based tunnels

Hope that helps

Jazib

New Member

Re: Is there any way to force SA negotiations to Main Mode?

Thanks Jazib,

I did not know that the Client software can only negotiate in Aggresive mode when using Pre-Shared keys. As far as other attributes, i was mainly speaking of things like Vendor ID's

for example (from the 6th line of the debug)

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID)

Thanks again for the information.

103
Views
0
Helpful
2
Replies