cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10835
Views
3
Helpful
18
Replies
Highlighted
Beginner

Internet Key Exchange (IKE) Aggressive Mode

HI All,

Need the clarity on IKE version 1 with aggressive mode, I assume this is used for remote site VPN and not for site to site VPN.

Correct me I am wrong and also share the inputs on this.

Also required the inputs for disabling in Cisco 3800 series router.

Thanks in advance

Regards

Suresh

           

18 REPLIES 18
Highlighted
Engager

hi suresh,

Aggressive mode is faster than main mode because there are fewer exchanges. Aggressive mode compresses the IKE SA negotiation phases into 1 exchange with 3 packets. Main mode requires 3 exchanges with 6 packets.

Aggressive mode packets include:

    * First packet - The initiator packages everything needed fo the SA negotiation in the first message, including its DH public key

    * Second packet - The recipient responds with the acceptable parameters, authentication information and its DH public key

    * Third packet - The initiator then sends a confirmation that it received that information

Aggressive mode negotiation is quicker and the initiator and responder IDs pass in plaintext. After the IKE SA is established, Phase 2 negotiation begins.

The following are the IKE Phase 1 Aggressive Mode Exchange:

1. Send IKE policy set and R1's DH key

2. Confirm IKE policy set, calculate shared secret and send R2's DH key

3. Calculate shared secret, verify peer identity and confirm with peer

4. Authenticate peer and begin Phase 2

Highlighted

Hi johnlloyd,

Thanks for the response, Please clarifiy me on below points

1. Is this aggressive mode used only in site to site IPSEC VPN or in remote site VPN as well

2. Is this IKE version 1 secure with using pre shared key or not ?

3. If not secured, Then how do we disable V1 and move to V2 in cisco 3800 series router.

Regards

Suresh

Highlighted

hi suresh,

1. this is applicable for both S2S IPsec VPN and RA VPN (EZVPN).

for items 2 and 3, i haven't encountered IKE version 1 or any other version. could you clarify further or are you referring to IKE phase1 and IKE phase 2 (IPsec SA)?

Highlighted

Hi John,

I am reffering to IKE version 1 and 2 only not IKE phase 1 and 2.

And i need the inputs to disable the aggressive mode

Rgds

Suresh

Highlighted

hi,

to disable agressive mode, use the command:

Router(config)#crypto isakmp aggressive-mode disable

i've found some useful links for IKE v1 and v2:

https://tools.ietf.org/html/rfc4109 (IKE v1)

http://tools.ietf.org/html/rfc4306 (IKE v2)

with regards to your question whether IKE v1 is secure using pre-shared keys or not, it mainly depends on the IKE policy (or policies) configured on your VPN device. nowadays, AES-128, SHA-1 and DH group 14 are strongly encouraged.

Highlighted

hi

can i have the complete configuration for aggressive mode IPSEC tunnel...

Regads

Suresh

Highlighted

to use the ikev2, you just need to attach the ikev2 profile to the crypto map or IPsec profile applied to the interface, you don't need to disable ikev1 to use ikev2. ikev2 supports following:

encryption 

integrity

group

{3des} {aes-cbc-128} {aes-cbc-192} {aes-cbc-256}

{sha1} {sha256} {sha384} {sha512} {md5}

{1} {2} {5} {14} {15} {16} {19} {20} {24}

Highlighted

When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups, and PFS, can not be negotiated, resulting in a greater importance of having "compatible" configurations on both ends.

Main Mode

Main mode has three two-way exchanges between the initiator and the receiver.

  • First exchange: The algorithms and hashes used to secure the IKE communications are agreed upon in matching IKE SAs in each peer.
  • Second exchange: Uses a Diffie-Hellman exchange to generate shared secret keying material used to generate shared secret keys and to pass nonces—random numbers sent to the other party and then signed and returned to prove their identity.
  • Third exchange: Verifies the other side's identity. The identity value is the IPSec peer's IP address in encrypted form. The main outcome of main mode is matching IKE SAs between peers to provide a protected pipe for subsequent protected ISAKMP exchanges between the IKE peers. The IKE SA specifies values for the IKE exchange: the authentication method used, the encryption and hash algorithms, the Diffie-Hellman group used, the lifetime of the IKE SA in seconds or kilobytes, and the shared secret key values for the encryption algorithms. The IKE SA in each peer is bi-directional.

Aggressive Mode

In aggressive mode, fewer exchanges are made, and with fewer packets. On the first exchange, almost everything is squeezed into the proposed IKE SA values: the Diffie-Hellman public key; a nonce that the other party signs; and an identity packet, which can be used to verify identity via a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there's a secure channel. Therefore, it's possible to "sniff" the wire and discover who formed the new SA. However, it is faster than main mode.

Highlighted

Hi All

How do I verify whether IKE v1 is enabled or not in Cisco routers.

Regards

Suresh

Highlighted

IKEv1 is enabled by default. IKEv1 does not have to be  enabled for individual interfaces, but it is enabled globally for all  interfaces at the router. If you want to disable it, you can use no crypto isakmp command on all IPSec peers.

For configuration using aggresive mode, you can see find it on link below:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/IKE_Initiate_Aggressive_Mode.html#GUID-055B9338-25D4-4DBF-8D9F-EE4B073E7B9F

Highlighted

HI Rudy,

How can  configure secure IKE v1 in routers. Please guide what all the posible ways are there.

Regards

Suresh

Highlighted

To configure the IKEv1, you will need to create the isakmp policy, in that policy you need to choose the best encryption, authentication, hashing algorithms and DH group to use. You said that you are using 3800 router, what software do you have on the router? The secureness of IKE is depends on the combination on the value of encryption, auth, hash, DH.

Below are the options:      

hash {sha | sha256 | sha384 | md5}

15.1(2)T

This command was modified. The sha256 and sha384 keywords were added.

encryption {des | 3des | aes | aes 192 | aes 256}

12.2(13)T

The following keywords were added: aes, aes 192, and aes 256.

authentication {rsa-sig | rsa-encr | pre-share | ecdsa-sig}

15.1(2)T

This command was modified. The ecdsa-sig keyword was added.

group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}

15.1(2)T

This command was modified. The 14, 15, 16, 19, and 20 keywords were added.

For guideline in choosing which one is the considered "strong", refer to following link:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

Highlighted

Hi rudy,

Version is c3845-advipservicesk9-mz.124-3d.bin.

Regards

Suresh

Highlighted

I just updated my comment above,