Aggressive Mode

1)The first packet from the initiator contains enough information for the remote endpoint to generate its DH secret,
so this one packet is equivalent to the first four packets in main mode.
+Exchange type=Aggressive
+phase1 parameters
+key exchange payload
+nonce payload
IF NAT-T
NAT-D payload--->Local identification(hash of local original ip and port)
NAT-D payload--->remote identification(hash of remote ip and port)

2)The second packet from the remote endpoint will send back to the initiator contains its DH secret
3)The third packet from the initiator includes identity and hash payloads. After the remote endpoint receives this packet it simply calculates its hash payload and verifies it matches, if it matches then phase one is established.

#crypto map CMAP 1 set phase1-mode aggressive
#crypto isakmp am-disable----to disable Aggressive mode
#no crypto isakmp am-disable--> to use aggressive mode

NOTE:-if you disable Aggressive Mode, you have to use certificates instead of preshared keys for remote-access users(EZVPN-cisco client vpn)


0 Response to "Aggressive Mode"

Post a Comment

Powered by Blogger