WAN GroupVPN - Disable Aggressive mode in favor of Main mode

JCHD

As others before me have noted, VAPT security scans ding us for having IKE Aggressive Mode enabled. While the site to site tunnels have a configurable setting allowing the ability to select aggressive mode or main mode, the WAN GroupVPN has no such setting. The only way to then disable IKE aggressive mode is to entirely disable WAN GroupVPN (not an attractive solution).

Can you please add a configurable setting in the WAN GroupVPN so that this can be configured using main mode rather than aggressive mode? This issue has existed for many years and has frustrated many. If this cannot be implemented, is there a logical and/or logistical reason why it cannot?

Thank you!

Jeff

(applicable to NSA and TZ devices, all)

MarkD

If you are concerned about MM vs AM for Client VPN (GVPN will probably not continue for much longer) I would suggest moving to SSL-VPN