Enabling ike on the outside interface, Disabling ikev1 aggressive mode – Cisco ASA 5505 User Manual

Page 1365

Advertising
background image

64-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Configuring ISAKMP

For example:

hostname(config-ikev1-policy)# lifetime 14400

Enabling IKE on the Outside Interface

You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or
public interface. To enable IKEv1 or IKEv2, use the crypto ikev1 | ikev2 enable command from global
configuration mode:

crypto ikev1 | ikev2 enable interface-name

For example:

hostname(config)# crypto ikev1 enable outside

Disabling IKEv1 Aggressive Mode

Phase 1 IKEv1 negotiations can use either main mode or aggressive mode. Both provide the same
services, but aggressive mode requires only two exchanges between the peers totaling three messages,
rather than three exchanges totaling six messages. Aggressive mode is faster, but does not provide
identity protection for the communicating parties. Therefore, the peers must exchange identification
information before establishing a secure SA. Aggressive mode is enabled by default.

Main mode is slower, using more exchanges, but it protects the identities of the communicating
peers.

Aggressive mode is faster, but does not protect the identities of the peers.

To disable aggressive mode, enter the following command:

crypto ikev1 am-disable

For example:

hostname(config)# crypto ikev1 am-disable

If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command.
For example:

hostname(config)# no crypto ikev1 am-disable

Note

Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to
establish tunnels to the ASA. However, they may use certificate-based authentication (that is, ASA or
RSA) to establish tunnels.

Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers

During ISAKMP Phase I negotiations, either IKEv1 or IKEv2, the peers must identify themselves to
each other. You can choose the identification method from the following options:

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals