Is there any way to force SA negotiations to Main Mode?
I have a 3005 set up at a central site
i recently set up a testing group to test pushing down split-tunneling and firewall policies. I debugged the output (using Log Viewer on the Cisco Software Client) only to find that the Client is only negotiating SA's in Aggresive Mode. I reviewed the Event Log of the Concentrator only to notice that all of the remote user VPN group connections (Software Client and EasyVPNRemote) were negotiating SA's in Aggresive Mode. Since i am using pre-shared keys, I would really like for them to establish the secure tunnel before they send their attributes. is there any way to force the Concentrator and Clients to negotiate in Main Mode only?
Re: Is there any way to force SA negotiations to Main Mode?
MM only gives you Identity protection. The isakmp proposals exchanged in the negotiations are not encrypted in both MM and AM. I am not sure what other attributes you are mentioning. Could you explain in more detail?
In any case, VPN client 3.x only support AM for the Preshared key tunnels and MM for Cert based tunnels
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...