Cisco ASA 5505 8.0(5): specifying IPSec mode in the tunnel-group or group-policy

Question

Documentation states that you can (I'm assuming) globally disable aggressive mode with:

isakmp am-disable

Not exactly clear on the behavior when two peers are negotiating phase 1 in Cisco land, but in other firewalls, you usually can specific whether to use Main or Aggressive on each tunnel configuration; not exactly sure how to do this with an ASA 5505.

score 1 · Accepted Answer · answered May 10 '11 at 21:34

1

The phase 1 mode can be customized in the crypto map for the individual peer.

crypto map tunnel-name 1 set peer 31.54.21.54
crypto map tunnel-name 1 set match address tunnel-acl
....
crypto map tunnel-name 1 set phase1-mode [aggressive|main]

answered May 10 '11 at 21:34

Shane Madden

114,520
13
181
251

ah, ok great... – gravyface May 10 '11 at 21:44

Cisco ASA 5505 8.0(5): specifying IPSec mode in the tunnel-group or group-policy

1 Answers1