Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
2
Replies

Main Mode Vs Aggressive Mode

Go to solution
Parth
Level 1
Level 1

‎04-09-2018 05:35 AM - edited ‎03-12-2019 05:10 AM

Why and what scenario we choose Aggressive mode , any way its less secure and main mode is also not that slow , then what is use of Aggressive mode ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-09-2018 08:59 PM

AM mode was the default mode for EasyVPN as its faster to establish, it
uses 3 messages instead of 6 messages to get the tunnel up. Now when to use
MM or AM is your design decision. The problem of MM messages isn't only
speed but computation overhead as well because you need to hash/encrypt
more messages than AG.

Because the initiator doesn't have Nr, KEr, CKY-R yet, hence, no SKEYIDs
generated to decrypt AM_2. If AM_2 is encrypted, initiator won't be able to
read the payload and get these values. Once it receives these values in
AM_2 as clear text it can generate SKEYIDs and verify the hash.

An attacker can generate fake AM_1 packets and get AM_2 packets with the
hash value and Nr, KEr, CKY-R. This way the attacker will have N, KE, CKY
for both sender and receiver along with hash that allows him to derive
SKEYIDs and later pre-shared key

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-09-2018 08:59 PM

AM mode was the default mode for EasyVPN as its faster to establish, it
uses 3 messages instead of 6 messages to get the tunnel up. Now when to use
MM or AM is your design decision. The problem of MM messages isn't only
speed but computation overhead as well because you need to hash/encrypt
more messages than AG.

Because the initiator doesn't have Nr, KEr, CKY-R yet, hence, no SKEYIDs
generated to decrypt AM_2. If AM_2 is encrypted, initiator won't be able to
read the payload and get these values. Once it receives these values in
AM_2 as clear text it can generate SKEYIDs and verify the hash.

An attacker can generate fake AM_1 packets and get AM_2 packets with the
hash value and Nr, KEr, CKY-R. This way the attacker will have N, KE, CKY
for both sender and receiver along with hash that allows him to derive
SKEYIDs and later pre-shared key

0 Helpful

Go to solution
Parth
Level 1
Level 1
In response to Mohammed al Baqari

‎04-10-2018 05:09 AM

Thank you Mohammed ...

0 Helpful
Customers Also Viewed These Support Documents