Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Disabling aggressive mode on site-to-site VPN

I have a site-to-site VPN tunnel set up between two ASA firewalls, but I need to disable aggressive mode for security reasons.

 

This is a pretty standard setup, with AES256, pre-shared keys, etc. No pfs.

 

When I do a "show crypto ipsec sa detail" I don't see any references to aggressive mode in there.

 

If I disable this in order to go to strict main-mode, will it break the vpn?

1 REPLY
New Member

The command to disable

The command to disable aggressive mode is "crypto ikev1 am-disable"

For good measure you may want to use group 5 in your crypto ikev1 policy.

Disabling aggressive mode *shouldn't* drop your VPN connection but it would still probably be best to do it after hours just in case.

Kevin

 

314
Views
0
Helpful
1
Replies
CreatePlease to create content