Aggressive Mode
1)The first packet from the initiator contains enough information for the remote endpoint to generate its DH secret,
2)The second packet from the remote endpoint will send back to the initiator contains its DH secret
3)The third packet from the initiator includes identity and hash payloads. After the remote endpoint receives this packet it simply calculates its hash payload and verifies it matches, if it matches then phase one is established.
so this one packet is equivalent to the first four packets in main mode.
+Exchange type=Aggressive
+phase1 parameters
+key exchange payload
+nonce payload
IF NAT-T
NAT-D payload--->Local identification(hash of local original ip and port)
NAT-D payload--->remote identification(hash of remote ip and port)
3)The third packet from the initiator includes identity and hash payloads. After the remote endpoint receives this packet it simply calculates its hash payload and verifies it matches, if it matches then phase one is established.
#crypto map CMAP 1 set phase1-mode aggressive
#crypto isakmp am-disable----to disable Aggressive mode
#no crypto isakmp am-disable--> to use aggressive mode
NOTE:-if
you disable Aggressive Mode, you have to use certificates instead of
preshared keys for remote-access users(EZVPN-cisco client vpn)
0 Response to "Aggressive Mode"
Post a Comment