Configuring ISAKMP
Enabling ISAKMP on the Outside Interface
You must enable ISAKMP on the interface that terminates the VPN tunnel. Typically this is the outside,
or public interface.
To enable ISAKMP, enter the following command:
crypto isakmp enable interface-name
For example:
hostname(config)# crypto isakmp enable outside
Disabling ISAKMP in Aggressive Mode
Phase 1 ISAKMP negotiations can use either main mode or aggressive mode. Both provide the same
services, but aggressive mode requires only two exchanges between the peers totaling 3 messages, rather
than three exchanges totaling 6 messages. Aggressive mode is faster, but does not provide identity
protection for the communicating parties. Therefore, the peers must exchange identification information
prior to establishing a secure SA. Aggressive mode is enabled by default.
•
•
To disable ISAKMP in aggressive mode, enter the following command:
crypto isakmp am-disable
For example:
hostname(config)# crypto isakmp am-disable
If you have disabled aggressive mode, and want to revert to back to it, use the no form of the command.
For example:
hostname(config)# no crypto isakmp am-disable
Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to
Note
establish tunnels to the security appliance. However, they may use certificate-based authentication
(that is, ASA or RSA) to establish tunnels.
Determining an ID Method for ISAKMP Peers
During Phase I ISAKMP negotiations the peers must identify themselves to each other. You can choose
the identification method from the following options:
Cisco Security Appliance Command Line Configuration Guide
27-6
Main mode is slower, using more exchanges, but it protects the identities of the communicating
peers.
Aggressive mode is faster, but does not protect the identities of the peers.
Chapter 27
Configuring IPSec and ISAKMP
OL-10088-01