Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Aggressive Mode and Encryption

Hi Everyone.

I read below

Aggressive mode does not give identity protection of the two IKE peers, unless digital certificates are used. This means VPN peers exchange their identities without encryption (clear text). It is not as secure as main mode.

Currently we have setup RA VPN without digital certs sp does it mean that pre shared keys which are exchanged between client and ASA are

clear text without any encryption.?

Regards

MAhesh

1 REPLY
Cisco Employee

Aggressive Mode and Encryption

Mahesh,

RFC answers those questions

start with

http://tools.ietf.org/html/rfc2409

Just to make a simple quote (a bit out of context, but here goes)

   While the last roundtrip of Main Mode (and optionally the last
   message of Aggressive Mode) is encrypted it is not, strictly
   speaking, authenticated. 

To encrypt you need to agree on a key. have a look at aggresive mode exchange :-)

M.

155
Views
0
Helpful
1
Replies
CreatePlease to create content