| Hi, Dnyaneshwar, If I look at page 29-6 in the ASA 8.0 Command LIne configuration guide (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/asa80cfg.pdf ) , it only describes how to enable ISAKMP on an interface, disable aggressive mode and setting the ID method for ISAKMP peers. As kings stated, the isakmp negotation depends on the VPN technology used and whether the asa initiates the isakmp session or receives it. But there is an option in the ASA to disable aggressive mode (although it's faster, it's 'less' secure), and only use main mode. I know that some vendors prefer aggressive mode, also for site-to-site vpn's, for which my opinion is not to do that, unless you use certificates. Otherwise it's impossible to do peer identification check. So if you disable agressive mode, it might be impossible to setup certain IPSEC site-to-site with other vendors and it will certainly be impossible to use Cisco VPN client and EZVPN with pre-shared-keys for the groups.. But could it be that you're reading a different configuration guide, in which page 29-6 is inside a chapter that describes the configuration of EZVPN? Kind regards, Pieter-Jan On 10 sep 2009, at 09:20, Dnyaneshwar Gore wrote:
--- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected]  Think before you print. |
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
