SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Posts: 133
Registered: ‎03-11-2017
0 Kudos
Accepted Solution

IPSEC aggressive mode

why it said that aggressive mode doesn't support identity protection ??? 

However the ID is send encrypted is message 2 Untitled.png

Distinguished Expert
Posts: 1,109
Registered: ‎08-29-2013

Re: IPSEC aggressive mode

ID is there on 1st message itself as unencrypted - you may refer the capture on
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Distinguished Expert
Posts: 1,937
Registered: ‎06-06-2011

Re: IPSEC aggressive mode


"Aggressive mode is used for VPN negotiation if there is no static ip address to send to your peer as your IKE identity. In aggressive mode, the IKE idently which is your local-id, is sent as clear text in message 1 of VPN phase 1 negotiation.<<<<=====


This is by design. This is still not a security issue as the preshare or cert information between the peers is encrypted/hashed and not sent as clear text. Even if someone spoofs the local-id, unless the preshare is known, it is not possible to break the VPN.

In Main mode, there are a total of 3 exchanges or 6 messages (for VPN Phase 1 negotiation) exchanged between the peers. IKE identities are encrypted and exchanged during messages 5 & 6, after encryption and auth alogrithms are proposed and accepted by the two peers in messages 1 & 2.

Whereas in Aggressive mode, there are a total of 3 messages between the peers,


and the IKE identity is exchanged in message 1 & 2 as clear text. <<<<<=====


Because the participants' identities are exchanged in the clear (in the first two messages), Aggressive mode does not provide identity protection. "

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]