Expand all | Collapse all

IPSEC aggressive mode

Jump to Best Answer
  • 1.  IPSEC aggressive mode

    Posted 07-13-2017 04:19

    why it said that aggressive mode doesn't support identity protection ??? 

    However the ID is send encrypted is message 2 Untitled.png

  • 2.  RE: IPSEC aggressive mode
    Best Answer

    Posted 07-13-2017 04:27
    ID is there on 1st message itself as unencrypted - you may refer the capture on

  • 3.  RE: IPSEC aggressive mode

    Posted 07-15-2017 05:14


    "Aggressive mode is used for VPN negotiation if there is no static ip address to send to your peer as your IKE identity. In aggressive mode, the IKE idently which is your local-id, is sent as clear text in message 1 of VPN phase 1 negotiation.<<<<=====


    This is by design. This is still not a security issue as the preshare or cert information between the peers is encrypted/hashed and not sent as clear text. Even if someone spoofs the local-id, unless the preshare is known, it is not possible to break the VPN.

    In Main mode, there are a total of 3 exchanges or 6 messages (for VPN Phase 1 negotiation) exchanged between the peers. IKE identities are encrypted and exchanged during messages 5 & 6, after encryption and auth alogrithms are proposed and accepted by the two peers in messages 1 & 2.

    Whereas in Aggressive mode, there are a total of 3 messages between the peers,


    and the IKE identity is exchanged in message 1 & 2 as clear text. <<<<<=====


    Because the participants' identities are exchanged in the clear (in the first two messages), Aggressive mode does not provide identity protection. "