Description
This article describes the difference between Aggressive and Main mode in IPSec VPN configurations.
Scope
FortiGate.
Solution
Before going deep into some IPSec VPN configurations, we need to understand the differences between Main and Aggressive mode as well, these images will help us to identify what are the differences between them and which mode you may want to use in your environment.
Main Mode:
- PHASE1 negotiation is made in 6 messages in total:
- The very 1st packet is sent by Initiator Tunnel Endpoint to Responder Tunnel Endpoint. This message contains the proposal of the Security Association which contains the Encryption, Hashing, Authentication, DH group, and Lifetime. Also, this message contains the Initiator cookie. This message is unencrypted.
- The 2nd packet is sent by Responder Tunnel Endpoint to Initiator Tunnel Endpoint in response to the 1st message. This message contains the Encryption, Hashing, Authentication, DH group, and Lifetime proposed by Responder. Also, this message contains the Initiator cookie as well as the Responder cookie. This message is unencrypted.
- If the algorithms shared in the Message-2 match with the Initiator, then only Initiator will proceed further with the 3rd packet. In the 3rd packet, Initiator sends a Diffie Hellman Public key along with the Nonce Key of Initiator. This message is unencrypted.
- Responder replies with its Diffie Hellman Public key and the Nonce key of the responder. This message is unencrypted.
- Initiator sends an ICV/Digest/Hash Value of its own Preshared key in encrypted format for authentication. This message is encrypted.
- Responder sends an ICV/Digest/Hash Value of its own Preshared key in encrypted format for authentication. This message is encrypted.
Aggressive Mode:
- PHASE1 negotiation is made in 3 messages in total.
- All the data required to establish the SA (Security Association) is sent by the initiator.
- Responder replies with the selected ISAKMP policy and an authentication request.
- Initiator responds the request and a SA is established.
When to use aggressive mode:
Aggressive mode is useful when multiple dialup tunnels terminate on the same FortiGate IP address, and the remote peer is authenticated using a peer ID due to its dynamic IP address. In aggressive mode, the peer ID is sent in the first packet, allowing FortiGate to correctly match the remote peer with the appropriate dialup tunnel. This is not possible in main mode, as the peer ID is sent in the final packet, after the tunnel has already been identified.
Related articles: