Main Mode Vs Aggressive Mode

Document

Jun 25, 2015 8:03 PM
Nov 27th, 2009

Main Mode


An IKE session begins with the initiator sending a proposal or proposals to the responder. The proposals define what encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy should be enforced, for example. Multiple proposals can be sent in one offering. The first exchange between nodes establishes the basic security policy; the initiator proposes the encryption and authentication algorithms it is willing to use. The responder chooses the appropriate proposal (we'll assume a proposal is chosen) and sends it to the initiator. The next exchange passes Diffie-Hellman public keys and other data. All further negotiation is encrypted within the IKE SA. The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPSec negotiation (Quick Mode) begins.

Aggressive Mode

Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. The responder sends the proposal, key material and ID, and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and the initiator and responder ID pass in the clear.

Quick Mode


IPSec negotiation, or Quick Mode, is similar to an Aggressive Mode IKE negotiation, except negotiation must be protected within an IKE SA. Quick Mode negotiates the SA for the data encryption and manages the key exchange for that IPSec SA.

Graphical Representation

ws22.gif

Overall Rating: 5 (1 ratings)
Patrick0711 Fri, 11/27/2009 - 18:22

Please note that the use of PFS is suggested in the first quick mode message via the optional KE payload, not within IKE Phase 1.

Maykol Rojas Mon, 05/07/2012 - 23:11

You can create an Isakmp profile and set the mode to agressive. Then apply it to the crypto map.

Devang Badrakiya Mon, 07/28/2014 - 02:13

Please Briefly Explain why we have to make septate tunnel for SA & IPSec for VPN Connectivity ?

Why we build two tunnel (SA and IPSec) for VPN Data Transfer ? can it possible through only one tunnel ?

PatryckDumit Thu, 06/25/2015 - 20:03

Devang,

First tunnel (ISAKMP - phase 1) both sides initiates and agree on terms they'll use (as described in figure). At this point, if any config that must be the same on both sides are different, then your VPN won't be established.

Second tunnel (IPSec - phase 2) is created for encryption. You can use it or not, but it's highly recommended to use it.

Transit data will flow through 2nd tunnel, encrypted.

You can verify your SAs with these commands:

 show crypto isakmp sa

 show crypto ipsec sa peer «peer's IP»

 

HTH,

Patryck Dumit

Actions

Login or Register to take actions

This Document

Posted November 27, 2009 at 7:13 AM
Updated November 27, 2009 at 7:23 AM
Stats:
Comments:5 Overall Rating:5
Views:94885 Contributors:5
Shares:8

Related Content