SRX Services Gateway
SRX Services Gateway

IPSEC aggressive mode

07.13.17   |  
‎07-13-2017 04:19 AM

why it said that aggressive mode doesn't support identity protection ??? 

However the ID is send encrypted is message 2 Untitled.png

2 REPLIES
SRX Services Gateway
Solution
Accepted by topic author AhmedMohamed
‎07-16-2017 04:33 AM

Re: IPSEC aggressive mode

07.13.17   |  
‎07-13-2017 04:27 AM
ID is there on 1st message itself as unencrypted - you may refer the capture on https://www.cloudshark.org/captures/8f87daea9948
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: IPSEC aggressive mode

07.15.17   |  
‎07-15-2017 05:14 AM

https://kb.juniper.net/InfoCenter/index?page=content&id=KB11885&actp=search&searchid=1235632452125&a...

 

"Aggressive mode is used for VPN negotiation if there is no static ip address to send to your peer as your IKE identity. In aggressive mode, the IKE idently which is your local-id, is sent as clear text in message 1 of VPN phase 1 negotiation.<<<<=====

 

This is by design. This is still not a security issue as the preshare or cert information between the peers is encrypted/hashed and not sent as clear text. Even if someone spoofs the local-id, unless the preshare is known, it is not possible to break the VPN.

In Main mode, there are a total of 3 exchanges or 6 messages (for VPN Phase 1 negotiation) exchanged between the peers. IKE identities are encrypted and exchanged during messages 5 & 6, after encryption and auth alogrithms are proposed and accepted by the two peers in messages 1 & 2.

Whereas in Aggressive mode, there are a total of 3 messages between the peers,

 

and the IKE identity is exchanged in message 1 & 2 as clear text. <<<<<=====

 

Because the participants' identities are exchanged in the clear (in the first two messages), Aggressive mode does not provide identity protection. "

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]