I'm new to the Cisco ASA firewalls and need a little help with disabling aggressive mode. We currently have a site-to-site VPN setup w/ two ASA 5505s on each side and also use anyconnect for remote users to connect back to the office. When I do a "sh run" on one of the ASAs here's what I found in part of the config:
crypto isakmp policy 1
crypto isakmp policy 5
crypto isakmp policy 30
I've read that crypto isakmp am-disable will disable aggressive mode and force main mode to be used, however, I'm not sure if doing this on both ASAs will "break" the site-to-site VPN connection. If so, what other configuration steps need to be taken for use of main mode only?
On the 5505 with 8.4 code, the command is:
crypto ikev1 am-disable (I would do it on both sides)
This shouldn't affect any current IKE phase 1 tunnels. The next time an IKE phase 1 tunnel is built, it should use main mode.
This command can show you the current method in use:
show crypto isakmp sa detail
I would recommend setting up a management window if you plan to test a configuration change on a production network.
Thank you Keith! I was able to disable AM without any issues
Keith, According to the documentation, disabling aggressive mode also means pre-shared keys can't be used. Isn't there something else that needs to be done to allow tunnels to be build using main mode?
My recollection was that pre shared keys could not be used with ez-vpn. However, it should work fine with a traditional lan to lan vpn. Anyconnect is separate in its entirety. HTH.