ā01-17-2013 10:40 PM - edited ā03-04-2019 06:45 PM
HI All,
Need the clarity on IKE version 1 with aggressive mode, I assume this is used for remote site VPN and not for site to site VPN.
Correct me I am wrong and also share the inputs on this.
Also required the inputs for disabling in Cisco 3800 series router.
Thanks in advance
Regards
Suresh
ā01-18-2013 12:00 AM
hi suresh,
Aggressive mode is faster than main mode because there are fewer exchanges. Aggressive mode compresses the IKE SA negotiation phases into 1 exchange with 3 packets. Main mode requires 3 exchanges with 6 packets.
Aggressive mode packets include:
* First packet - The initiator packages everything needed fo the SA negotiation in the first message, including its DH public key
* Second packet - The recipient responds with the acceptable parameters, authentication information and its DH public key
* Third packet - The initiator then sends a confirmation that it received that information
Aggressive mode negotiation is quicker and the initiator and responder IDs pass in plaintext. After the IKE SA is established, Phase 2 negotiation begins.
The following are the IKE Phase 1 Aggressive Mode Exchange:
1. Send IKE policy set and R1's DH key
2. Confirm IKE policy set, calculate shared secret and send R2's DH key
3. Calculate shared secret, verify peer identity and confirm with peer
4. Authenticate peer and begin Phase 2
ā01-18-2013 12:56 AM
Hi johnlloyd,
Thanks for the response, Please clarifiy me on below points
1. Is this aggressive mode used only in site to site IPSEC VPN or in remote site VPN as well
2. Is this IKE version 1 secure with using pre shared key or not ?
3. If not secured, Then how do we disable V1 and move to V2 in cisco 3800 series router.
Regards
Suresh
ā01-18-2013 01:36 AM
hi suresh,
1. this is applicable for both S2S IPsec VPN and RA VPN (EZVPN).
for items 2 and 3, i haven't encountered IKE version 1 or any other version. could you clarify further or are you referring to IKE phase1 and IKE phase 2 (IPsec SA)?
ā01-18-2013 01:44 AM
Hi John,
I am reffering to IKE version 1 and 2 only not IKE phase 1 and 2.
And i need the inputs to disable the aggressive mode
Rgds
Suresh
ā01-18-2013 02:11 AM
hi,
to disable agressive mode, use the command:
Router(config)#crypto isakmp aggressive-mode disable
i've found some useful links for IKE v1 and v2:
https://tools.ietf.org/html/rfc4109 (IKE v1)
http://tools.ietf.org/html/rfc4306 (IKE v2)
with regards to your question whether IKE v1 is secure using pre-shared keys or not, it mainly depends on the IKE policy (or policies) configured on your VPN device. nowadays, AES-128, SHA-1 and DH group 14 are strongly encouraged.
ā01-18-2013 08:59 AM
hi
can i have the complete configuration for aggressive mode IPSEC tunnel...
Regads
Suresh
ā01-18-2013 07:30 AM
to use the ikev2, you just need to attach the ikev2 profile to the crypto map or IPsec profile applied to the interface, you don't need to disable ikev1 to use ikev2. ikev2 supports following:
encryption integrity group | {3des} {aes-cbc-128} {aes-cbc-192} {aes-cbc-256} {sha1} {sha256} {sha384} {sha512} {md5} {1} {2} {5} {14} {15} {16} {19} {20} {24} |
ā01-18-2013 08:03 AM
When using aggressive mode, some configuration parameters, such as Diffie-Hellman groups, and PFS, can not be negotiated, resulting in a greater importance of having "compatible" configurations on both ends.
Main mode has three two-way exchanges between the initiator and the receiver.
In aggressive mode, fewer exchanges are made, and with fewer packets. On the first exchange, almost everything is squeezed into the proposed IKE SA values: the Diffie-Hellman public key; a nonce that the other party signs; and an identity packet, which can be used to verify identity via a third party. The receiver sends everything back that is needed to complete the exchange. The only thing left is for the initiator to confirm the exchange. The weakness of using the aggressive mode is that both sides have exchanged information before there's a secure channel. Therefore, it's possible to "sniff" the wire and discover who formed the new SA. However, it is faster than main mode.
ā01-21-2013 03:08 AM
Hi All
How do I verify whether IKE v1 is enabled or not in Cisco routers.
Regards
Suresh
ā01-21-2013 03:33 AM
IKEv1 is enabled by default. IKEv1 does not have to be enabled for individual interfaces, but it is enabled globally for all interfaces at the router. If you want to disable it, you can use no crypto isakmp command on all IPSec peers.
For configuration using aggresive mode, you can see find it on link below:
ā01-21-2013 04:27 AM
HI Rudy,
How can configure secure IKE v1 in routers. Please guide what all the posible ways are there.
Regards
Suresh
ā01-21-2013 05:03 AM
To configure the IKEv1, you will need to create the isakmp policy, in that policy you need to choose the best encryption, authentication, hashing algorithms and DH group to use. You said that you are using 3800 router, what software do you have on the router? The secureness of IKE is depends on the combination on the value of encryption, auth, hash, DH.
Below are the options:
hash {sha | sha256 | sha384 | md5}
15.1(2)T | This command was modified. The sha256 and sha384 keywords were added. |
encryption {des | 3des | aes | aes 192 | aes 256}
12.2(13)T | The following keywords were added: aes, aes 192, and aes 256. |
authentication {rsa-sig | rsa-encr | pre-share | ecdsa-sig}
15.1(2)T | This command was modified. The ecdsa-sig keyword was added. |
group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}
15.1(2)T | This command was modified. The 14, 15, 16, 19, and 20 keywords were added. |
For guideline in choosing which one is the considered "strong", refer to following link:
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
ā01-21-2013 05:16 AM
Hi rudy,
Version is c3845-advipservicesk9-mz.124-3d.bin.
Regards
Suresh
ā01-21-2013 05:18 AM
I just updated my comment above,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide