Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Main Mode or Aggressive Mode

Hello,

I have an ASA 5510 configure for remote VPN Client and site to site VPN (ASA 5505 to ASA 5510).

One of my customer's want to establish site to site VPN to my network , but it is not Working (no CISCO firewall).

He tell me if it possible to change my VPN configuration. He want to using VPN aggressive Mode instead Main Mode

1) How to configure aggressive mode ?

2) If i activate aggressive mode, can i have problem with my remote VPN ?

Thanks for your help

2 REPLIES
New Member

Re: VPN Main Mode or Aggressive Mode

By default the ASA uses aggressive mode...

Do you see this command in your running config?

crypto isakmp am-disable

If you do see it then your ASA is using Main mode. Run "no crypto isakmp am-disable" to use aggressive mode

The change is a global change. After it your remote VPN users will need to use aggressive mode too but I don't think you need to reconfigure anything on their VPN client.

Bronze

Re: VPN Main Mode or Aggressive Mode

1.) crypto map {map name}{#} set phase1-mode aggressive

2.) Aggressive mode uses 3 exchanges instead of the 6 used in main mode to establish the ISAKMP SA.

The devices will exchange their SA parameters, DH key&nonce value, and their ISAKMP identity in a single exchange.

20656
Views
0
Helpful
2
Replies