Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN3000 Aggressive Mode

Hi,

Folowing security flaw existing in aggressive mode ipsec, Is there a way to deactivate aggresive mode on VPN3000 Concentrator. All my SAs are in main mode but it seems it still answer on aggressive handshake. (verify with tool like ike-scan)

If it's not possible to deactivate it can I mask the ID returned in the handshake has it is the private IP.

Thanks

3 REPLIES

Re: VPN3000 Aggressive Mode

Hi,

Go to:

Traffic Management | Security Associations

Edit them and under "IKE Parameters" select all to have Negociation as Main.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee22f.html#wp1556802

Please rate if this helped.

Regards,

Daniel

New Member

Re: VPN3000 Aggressive Mode

Hi,

All Negociation are "Main Mode" in "IKE Paramethers" but it still answer to Aggressive handshake.

An idea ?

New Member

Re: VPN3000 Aggressive Mode

I too would like to know the best fix for this.

According to:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_security_notice09186a008016b57f.html

"When responding to IPSec session initialization, Cisco IOS? software

may use Aggressive Mode even if it has not been explicitly configured

to do so."

146
Views
0
Helpful
3
Replies
CreatePlease to create content