PREREQUISITE:

1. IPsec VPN: Understanding the IKE Phase 1 Main Mode

2. IPsec VPN: NAT Traversal (NAT-T)

Why even use aggressive mode?

Aggressive mode requires only 3 messages for IKEv1 phase 1 negotiation, hence quicker than the Main mode.

How does the aggressive mode able to squeeze the Phase 1 negotiation into 3 messages?

The aggressive mode does DH key exchange and authentication in the first 2 messages followed by an authentication message by the initiator to prove its identity as the last message:

Wireshark packet capture & analysis:

• 

• Aggressive mode message 1 == Main mode message 1 & 3:

  1. SA proposal

  2. Key Exchange payload + nonce

  3. Identification payload

  4. NAT-T negotiation

  5. Dead Peer Detection (DPD)

• 

• Aggressive mode message 2 == Main mode message 2 & 4:

  1. SA proposal

  2. Key Exchange payload + nonce

  3. Identification payload

  4. NAT-T negotiation + NAT-D payloads

  5. Dead Peer Detection (DPD)

  6. Hash of responder

• 

• Aggressive mode message 3 == hash for authentication (initiator proves its identity):

  1. The hash of the initiator - to prove its identity (Encrypted payload)

What are the limitations of the Aggressive mode?

1. Doesn't provide identity protection

2. the initiator can specify only 1 DH group because the key exchange payload is sent in the 1st message. If you need to allow the initiator to send multiple offers with different DH groups, you should use the Main mode.

Link to the Wireshark capture file:

• https://www.cloudshark.org/captures/e51f5c8a6b24