07-13-2017 04:27 AM
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
07-15-2017 05:14 AM
"Aggressive mode is used for VPN negotiation if there is no static ip address to send to your peer as your IKE identity. In aggressive mode, the IKE idently which is your local-id, is sent as clear text in message 1 of VPN phase 1 negotiation.<<<<=====
This is by design. This is still not a security issue as the preshare or cert information between the peers is encrypted/hashed and not sent as clear text. Even if someone spoofs the local-id, unless the preshare is known, it is not possible to break the VPN.
In Main mode, there are a total of 3 exchanges or 6 messages (for VPN Phase 1 negotiation) exchanged between the peers. IKE identities are encrypted and exchanged during messages 5 & 6, after encryption and auth alogrithms are proposed and accepted by the two peers in messages 1 & 2.
Whereas in Aggressive mode, there are a total of 3 messages between the peers,
and the IKE identity is exchanged in message 1 & 2 as clear text. <<<<<=====
Because the participants' identities are exchanged in the clear (in the first two messages), Aggressive mode does not provide identity protection. "
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]