Description

This article describes the difference between Aggressive and Main mode in IPSec VPN configurations.

Scope

FortiGate.

Solution

Before going deep into some IPSec VPN configurations, we need to understand the differences between Main and Aggressive mode as well, these images will help us to identify what are the differences between them and which mode you may want to use in your environment.

Main Mode:

1. PHASE1 negotiation is made in 6 messages in total:
2.  The very 1st packet is sent by Initiator Tunnel Endpoint to Responder Tunnel Endpoint. This message contains the proposal of the Security Association which contains the Encryption, Hashing, Authentication, DH group, and Lifetime. Also, this message contains the Initiator cookie. This message is unencrypted.
3.  The 2nd packet is sent by Responder Tunnel Endpoint to Initiator Tunnel Endpoint in response to the 1st message. This message contains the Encryption, Hashing, Authentication, DH group, and Lifetime proposed by Responder. Also, this message contains the Initiator cookie as well as the Responder cookie. This message is unencrypted.
4. If the algorithms shared in the Message-2 match with the Initiator, then only Initiator will proceed further with the 3rd packet. In the 3rd packet, Initiator sends a Diffie Hellman Public key along with the Nonce Key of Initiator. This message is unencrypted.
   
5. Responder replies with its Diffie Hellman Public key and the Nonce key of the responder. This message is unencrypted.
6. Initiator sends an ICV/Digest/Hash Value of its own Preshared key in encrypted format for authentication. This message is encrypted.
7. Responder sends an ICV/Digest/Hash Value of its own Preshared key in encrypted format for authentication. This message is encrypted.

1.  PHASE1 negotiation is made in 3 messages in total.
2.  All the data required to establish the SA (Security Association) is sent by the initiator.
3. Responder replies with the selected ISAKMP policy and an authentication request.
4. Initiator responds the request and a SA is established.
   
   

When to use aggressive mode:

Aggressive mode is useful when multiple dialup tunnels terminate on the same FortiGate IP address, and the remote peer is authenticated using a peer ID due to its dynamic IP address. In aggressive mode, the peer ID is sent in the first packet, allowing FortiGate to correctly match the remote peer with the appropriate dialup tunnel. This is not possible in main mode, as the peer ID is sent in the final packet, after the tunnel has already been identified.

Related articles:

• Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
• Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)
• Troubleshooting Tip: IPsec VPNs tunnels
• Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
• Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
• Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
• Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
• Technical Tip: IPSec dial-up full tunnel with FortiClient
• Technical Note: Dynamic routing (BGP) over IPsec tunnel
• Technical Tip: OSPF with IPSec VPN for network redundancy
• Technical Tip: Dynamic dial-up VPN with OSPF
• Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
• Technical Tip: 'set net-device' new route-based IPsec logic
• Technical Tip: Simple OCVPN deployment
• Technical Tip: SD-WAN integration with OCVPN
• Technical Tip: Configure IPsec VPN with SD-WAN
• Technical Tip: SD-WAN with DDNS type IPsec
• Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
• Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
• Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPsec phase1 on a...
• Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
• Technical Tip: Hard timeout for Dialup IPsec VPN Tunnel