New Member

Question

aggressive mode vs main mode

Forum|Forum|11 years ago
September 22, 2014
9 replies
23569 views

how secure is aggressive mode. i know its faster then main mode with less exchanges but what does it send in clear text. is this a security issue?.

emnoc

New Member

It' s not as secured for IKEv1. Authentication parameters are leaked unencryted and with 3 exchanges vrs 6 for main-mode, btw you should be using it ( aggressive) for dialup or dyn vpns. fwiw, IKEv2 doesn' t have these issues.

dirkdigsAuthor

New Member

so the key exchanges are not encrypted what about user login / password? is this still encrypted with aggressive mode? how do i secure my dialup vpn?

Istvan_Takacs_FTNT

Staff

C' mon man, if you really are FCNSP certified than you should know the answer to this basic question without asking it on a public forum. Seems it was really time to reform the certification path as it appears it starts to get diluted, and it could end up like the MCSE one that could be bought at the local fishmonger for $5 on its final days. BTW, the answer to your question can also be found after a quick look at the product documentation: Choosing main mode or aggressive mode http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/phase1.111.04.html

dirkdigsAuthor

New Member

found the answer. http://blog.spiderlabs.com/2013/03/cracking-ike-aggressive-mode-hashes-part-1.html @Istvan thanks for your dumb comment

emnoc

New Member

Ivstan that was harsh and probably most security engineer regardless of FCNSP status would not the difference of the two or even what quick-mode. Dirkdigs, I have never seen aggressive used outside of dialup vpns, where you can' t readily define the peer-address since it' s dynamic or an " any" ( 0.0.0.0/0 ) IKEv2 is a better choice all around but might be limited by vpn client support.

ede_pfau

SuperUser

I agree that we all are not around these forums here to get bashed because of asking. Let' s just keep to the polite and informative style that this place is special for. Besides, I don' t even have a FCNSP certification and still just don' t know so many things though I' ve got 10 years experience with Fortinet now. I' m glad I have a place where I can ask fellow colleagues for advice. @dirkdigs I _did_ know that the IDs were exchanged in clear text when using AgMode but the blog you refered to was interesting and showing me something new. Namely, that one can brute-force an IPsec VPN, more easily with AgMode, and how. So, having the log flooded with unsuccessful attempts to establish a tunnel should ring the alarm bells. The new improved IPS rate filters of FOS 5.2 come to my mind.

Christopher_McMullan

Staff

Good article. I love networking: you' re always learning something new! A good way to prevent unauthorized attempts, if you are deploying a site-to-site VPN, is to create a local-in policy denying any UDP port 500 traffic into your local external interface (the one terminating the VPN) unless it comes from the known public IP of the VPN peer. config firewall local-in-policy edit 0 set ... ... end

dirkdigsAuthor

New Member

so is it possible to even get a response back form the fortigate using the ike-scan utility ? the article talks about Cisco ASA however i have not been successful trying this on the fortigate.

netmin

New Member

Yes, it is. Try using locally " diag debug application ike -1" to see what the FGT sees (but might not respond to). For example, a command like " ike-scan -A -g 5 <IP>" returns some information when DH group 5 is used and aggressive mode.

ede_pfau

SuperUser

Well, I think that if you start an IKE negotiation against a FGT and you would NOT see any response that the FGT would be bricked then. ' ike-scan' just does what any IPsec client would do. And I bet you could do some fingerprinting from the kind of response to various connection attempts. Hopefully, Fortinet R&D has probed this before it gets drawn into public here.

netmin

New Member

@ede : well, not necessarily bricked. The tool appears to use DH 2 by default and the FGT indeed sees this request but doesn' t respond with any single packet when using different DH groups. Certainly the tool might provide addl. options, but not by default (or without reading the documents

)

fcb

Visitor III

I get that this an old post (google search landed me here - where I found my answer I might add) but considering that most of the people that posted to this thread are still active on the forums, a sort of follow-up question if i may. You guys mention that Aggressive mode is to be used mostly for dynamic and dial-up connections. This is the default still to this day on the Fortigate wizard but in an environment with oversight we were forced to move ALL VPN's to Main Mode, ALL VPN's. Did we hurt our self in doing so? I get the extra time during negotiation, but in what other way would it be negative? If memory serves the Main Mode makes you move the gate into more of an interface based VPN but I don't recall specifics behind that. I know when using this type of VPN the client is assigned an IP in the defined range and then the clients gateway is always one number higher than the IP that they were assigned. ie:

Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) Physical Address. . . . . . . . . : 00-09-0F-FE-00-01 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.100.31.153(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.255 Lease Obtained. . . . . . . . . . : Wednesday, April 20, 1999 4:20:00 PM Lease Expires . . . . . . . . . . : Saturday, December 31, 1999 23:59:59 PM Default Gateway . . . . . . . . . : 10.100.31.154 DHCP Server . . . . . . . . . . . : 14.20.24.7 DNS Servers . . . . . . . . . . . : 14.20.3.65 14.20.7.24 NetBIOS over Tcpip. . . . . . . . : Enabled for some reason Thanks - mainly just curious so thank you if anyone still has ears on

AndreaSoliva

New Member

Hi one more hint from my site: If you use several FortiClient connections on example WAN interface YOU HAVE TO USE with PSK Aggressive Mode. The reason ist hat if user A for Client2Site A is requesting on WAN IKE the daemon for IKE can not identify the connection to be related to Client2Site A. This means acutally that the PSK will be checked on both Client2Site meaning A and B. The request for B will of course fail. To prevent this -if you are using more as one Client2Site IPSec configuration is using " local-id" in phase1. In this way the User A will deliver local-id for Client2Site A and in this way the IKE deamon can full identify the connection. The disandvantage of such a configuation is that the local-id will be delivered in clear-text to the IKE Deamon listening on WAN. If you like to prevent this you have to configure main-mode and using RSA authentication with Certificates. If so the IKE deamon can verify the connection over the Certifdate list. From my point of view if you are using Site2Site use always Main-Mode except if the other site is a interoberability device which requests Aggressive Mode. hope this helps have fun Andrea

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded