ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
fellix001
New Member
Posts:
19
Joined:
Wed May 20, 2009 3:20 am

Aggressive

Tue Mar 06, 2012 9:06 am

Typically when looking at configurations for site to site VPNs which have one peer using a dynamic ip address agressive mode is used.
Can anyone confirmed why this is needed if the IKE identies are configured on both sides ?
www.Fir3net.com - Keeping You In The Know

User avatar
writeerase
Ultimate Member
Posts:
509
Joined:
Sat Apr 09, 2011 3:55 pm
Certs:
CCIE CCNP-S CCDA MCSE RHCT Sec+ A+

Re: Aggressive

Tue Mar 06, 2012 9:33 am

aggressive mode means fewer packets are exchanged and is just quicker than main mode to establish an IKE SA

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Aggressive

Tue Mar 06, 2012 10:12 am

Yes, there are less packets exchanged while using aggresive mode, but it's not what its for.

When you use main mode, the ID exchange is encrypted while it is not with aggresive mode. That makes it so you absolutely need to know the pre-shared key of your peer before you actually exchange the ID and the only way you can do that is by matching the peer with its IP address.

Aggressive mode "solves" that problem by doing the ID exchange in cleartext, which you can then identify your peer with and fetch the proper pre-shared key or certificate.

fellix001
New Member
Posts:
19
Joined:
Wed May 20, 2009 3:20 am

Re: Aggressive

Tue Mar 06, 2012 11:58 am

Hmm Im not sure if that is 100% correct.
The IKE ID is much like a username for both main and aggressive mode, either side need to have a matching preshared key so that asymetric keys (via the use of DiffieHellman) can be generated.
What Im failing to understand is that if the IKE ID is set on both sides why agressive mode would be required as due to both sides sides knowing the IKE ID it should matter if it is sent encrypted (i.e main mode).

Thanks all.....
www.Fir3net.com - Keeping You In The Know

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Aggressive

Tue Mar 06, 2012 12:10 pm

You know your own ID, you don't know the other side's ID.

Main mode encrypts the first phase completely, including the ID exchange where I tell you my ID and you tell me yours. How can I choose the proper tunnel-group with your ID to get the PSK if I don't know who you are yet? I have to use your IP to match, it's the only way I can get the right key for our ID exchange.

fellix001
New Member
Posts:
19
Joined:
Wed May 20, 2009 3:20 am

Re: Aggressive

Tue Mar 06, 2012 12:23 pm

Yep I agree that IKE ID`s are not owned by the other side. But the IKE ID doesnt have to be an IP address. It can configured using a number of settings.
You are also correct in terms of remote access where the vpn gateway wont know about the ID and then will not know what tunnel group but how about site to site vpn ??
www.Fir3net.com - Keeping You In The Know

Mendlar
Member
Posts:
117
Joined:
Sun Jun 26, 2011 6:22 pm
Certs:
CCNP, CCDA, CCNA Security, CCNA, JNCIS-ENT

Re: Aggressive

Tue Mar 06, 2012 1:28 pm

Doesn't really matter if it's remote access or site-to-site. As soon as we're talking about a peer that has a dynamic IP, aggressive mode will be used since main mode can't work without knowing the peer's ID beforehand.

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 16 guests