| Hi DM,
Ok, that explains it.. The ISAKMP protocol knows two versions, main mode and agressive mode. Main mode is mandatory for ISAKMP, with 6 messages, while agressive mode is optional, with less messages (2 or 3 if I remember correctly).
What that line tells you is that the ASA per default allows you to use both options, both main mode and agressive mode.
You should read this line the same way as for example other default options on an interface, which you can change. So, that section tells you how to disable aggressive mode, if you want to. But default, both main mode and agressive mode are both enabled, and you have a choice (I think you can even specify per peer (tunnel-group) what mode you want to use.
But if you want to disable the agressive mode globally, you just enter: isakmp am-disable
Kind regards Pieter-Jan On 10 sep 2009, at 10:39, Dnyaneshwar Gore wrote: Hi Pieter-Jan, I am referring to same document that you have sent link. Under "Disabling ISAKMP in Aggressive mode" section, it is written that "Aggressive mode is enabled by default." in first para. I am referring to this line. Regards, D.M.Gore
On Thu, Sep 10, 2009 at 1:09 PM, Pieter-Jan Nefkens <[email protected]> wrote: Hi, Dnyaneshwar,
As kings stated, the isakmp negotation depends on the VPN technology used and whether the asa initiates the isakmp session or receives it. But there is an option in the ASA to disable aggressive mode (although it's faster, it's 'less' secure), and only use main mode. I know that some vendors prefer aggressive mode, also for site-to-site vpn's, for which my opinion is not to do that, unless you use certificates. Otherwise it's impossible to do peer identification check.
So if you disable agressive mode, it might be impossible to setup certain IPSEC site-to-site with other vendors and it will certainly be impossible to use Cisco VPN client and EZVPN with pre-shared-keys for the groups..
But could it be that you're reading a different configuration guide, in which page 29-6 is inside a chapter that describes the configuration of EZVPN?
Kind regards, Pieter-Jan
On 10 sep 2009, at 09:20, Dnyaneshwar Gore wrote: Hi Kings, I am also thinking same but as per ASA ver 8.0 configuration guide on page 29-6, its aggressive mode!!!!! Do u have any idea about this? Regards, D.M.Gore
On Thu, Sep 10, 2009 at 12:32 PM, Kingsley Charles <[email protected]> wrote: Hi D.M.Gore If I remember correctly, for site to site VPN, it's Main mode and for EzVPN it's aggresive mode. With regards Kings
Hi All, This is very basic question but I am little bit confused about default mode for phase 1 in IKE negotiation. In some document I read that Main mode is default but in ASA ver 8.0 configuration mode on page 29-6, it says Aggressive mode as default. So not sure which one is correct? Also for router VPN, I think Main mode is default. Kindly express your thought on this. Regards, D.M.Gore _______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
--- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands
Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221
![]() Think before you print.
 Think before you print.
|
