1-13
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring IPsec and ISAKMP
Configuring ISAKMP
Disabling IKEv1 Aggressive Mode
Phase 1 IKEv1 negotiations can use either main mode or aggressive mode. Both provide the same
services, but aggressive mode requires only two exchanges between the peers totaling three messages,
rather than three exchanges totaling six messages. Aggressive mode is faster, but does not provide
identity protection for the communicating parties. Therefore, the peers must exchange identification
information before establishing a secure SA. Aggressive mode is enabled by default.
• Main mode is slower, using more exchanges, but it protects the identities of the communicating
peers.
• Aggressive mode is faster, but does not protect the identities of the peers.
To disable aggressive mode, enter the following command in either single or multiple context mode:
crypto ikev1 am-disable
For example:
hostname(config)# crypto ikev1 am-disable
If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command.
For example:
hostname(config)# no crypto ikev1 am-disable
Note Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to
establish tunnels to the ASA. However, they may use certificate-based authentication (that is, ASA or
RSA) to establish tunnels.
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
During ISAKMP Phase I negotiations, either IKEv1 or IKEv2, the peers must identify themselves to
each other. You can choose the identification method from the following options.
The ASA uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN
IKEv1 connections in main mode that authenticate with preshared keys.
The default setting is auto.
To change the peer identification method, enter the following command in either single or multiple
context mode:
crypto isakmp identity {address | hostname | key-id id-string | auto}
Address Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Automatic Determines ISAKMP negotiation by connection type:
• IP address for preshared key.
• Cert Distinguished Name for certificate authentication.
Hostname Uses the fully qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Key ID
key_id_string
Specifies the string used by the remote peer to look up the preshared key.
To Next Page
Loading...
Need help?
General
