学员提问:
怎么样配置,才能让ASA5520 接受aggressive mode的连接
看过cisco的文档
crypto map set phase1 mode
To specify the IKE mode for phase 1 when initiating a connection to either main or aggressive, use the crypto map set phase1mode command in global configuration mode. To remove the setting for phase 1 IKE negotiations, use the no form of this command. Including a Diffie-Hellman group with aggressive mode is optional. If one is not included, the security appliance uses group 2.
crypto map map-name seq-num set phase1mode {main | aggressive [group1 | group2 | group5 | group7]}
no crypto map map-name seq-num set phase1mode {main | aggressive [group1 | group2 | group5 | group7]}
Syntax Description
aggressive
Specifies aggressive mode for phase one IKE negotiations
Defaults
Default phase one mode is main.
做了无效
配置的时候发现问题
vpndx(config)# crypto map outside_map 65535 set phase1-mode aggressive
WARNING: This map entry is linked to dynamic-map: outside_dyn_map.
This attribute will be inactive!
看过cisco的文档
crypto map set phase1 mode
To specify the IKE mode for phase 1 when initiating a connection to either main or aggressive, use the crypto map set phase1mode command in global configuration mode. To remove the setting for phase 1 IKE negotiations, use the no form of this command. Including a Diffie-Hellman group with aggressive mode is optional. If one is not included, the security appliance uses group 2.
crypto map map-name seq-num set phase1mode {main | aggressive [group1 | group2 | group5 | group7]}
no crypto map map-name seq-num set phase1mode {main | aggressive [group1 | group2 | group5 | group7]}
Syntax Description
aggressive
Specifies aggressive mode for phase one IKE negotiations
Defaults
Default phase one mode is main.
做了无效
配置的时候发现问题
vpndx(config)# crypto map outside_map 65535 set phase1-mode aggressive
WARNING: This map entry is linked to dynamic-map: outside_dyn_map.
This attribute will be inactive!
捷盈讲师及学员解答:
建议用ASDM配置VPN,还有你的IOS最好升到8.21的,或者8.0以上的。还有就是把你的K8版本升到K9。