Configuring Site-to-Site IPSec VPN with Aggressive Mode on Cisco Routers (Old vs New IOS)
Table of Contents
- Introduction
- What is Aggressive Mode?
- Crypto Math Explained
- Old IOS Configuration
- New IOS Configuration
- Verification & CLI Output
- Troubleshooting
- Related Articles
Introduction
IPSec VPNs are used to securely connect two networks over an untrusted network like the internet.
Aggressive Mode is a type of IKE Phase 1 negotiation that completes faster than Main Mode but exposes identity early.
What is Aggressive Mode?
Aggressive Mode reduces the number of message exchanges from 6 (Main Mode) to 3.
Deep Explanation
It sends identity information in clear text early in the exchange, making it faster but less secure.
Crypto Math (Simple Explanation)
IPSec uses encryption and hashing.
Encryption (Confidentiality)
Ciphertext = Encrypt(Plaintext, Key)
๐ Converts readable data into unreadable form.
Hashing (Integrity)
Hash = H(Data)
๐ Ensures data is not modified.
Key Exchange (Diffie-Hellman Simplified)
Shared Key = (Public Key ^ Private Key) mod p
๐ Both sides generate the same key without sending it directly.
Old IOS Configuration
Router 1 Config
crypto isakmp policy 10
encr aes
hash sha
authentication pre-share
group 2
crypto isakmp key cisco123 address 2.2.2.2
crypto isakmp profile AGGR
match identity address 2.2.2.2
keyring default
self-identity address
crypto ipsec transform-set TS esp-aes esp-sha-hmac
crypto map VPN 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address 100
interface Gig0/0
crypto map VPN
New IOS Configuration (Post 15.9)
Modern Configuration
crypto ikev1 policy 10
encryption aes
hash sha
authentication pre-share
group 2
crypto ikev1 enable Gig0/0
crypto ikev1 profile AGGR
match identity remote address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local KR
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
interface Tunnel0
tunnel protection ipsec profile IPSEC-PROFILE
Verification & CLI Output
Commands
show crypto isakmp sa
show crypto ipsec sa
Sample Output
Router# show crypto isakmp sa
dst src state conn-id
2.2.2.2 1.1.1.1 QM_IDLE 1001
IKE Phase 1 Aggressive Mode Packet Flow (Step-by-Step)
Aggressive Mode completes Phase 1 in just 3 messages, unlike Main Mode which uses 6.
Message Flow Breakdown
Message 1 (Initiator → Responder)
- Encryption algorithms
- Hash algorithm
- DH group
- Identity (EXPOSED)
- Public key (DH)
Message 2 (Responder → Initiator)
- Selected proposal
- Responder identity
- Public key
- Hash
Message 3 (Initiator → Responder)
- Authentication (hash)
- Confirms shared key
Why Aggressive Mode is Less Secure
- Identity sent in plaintext
- Susceptible to dictionary attacks
- No identity protection
Aggressive Mode vs Main Mode
| Feature | Aggressive Mode | Main Mode |
|---|---|---|
| Messages | 3 | 6 |
| Speed | Fast | Slower |
| Security | Lower | Higher |
| Identity Protection | No | Yes |
| Use Case | Dynamic IP | Static IP |
Deep Crypto Math (CCNP Simplified)
Diffie-Hellman Key Exchange
Shared Secret = (g^a mod p)^b mod p
๐ Both peers generate the same key without sending it over the network.
Simple Analogy
Think of mixing colors:
- Public color = shared
- Private color = secret
- Final mix = shared secret
Hash Authentication
HASH = H(Shared Key + Data)
๐ Ensures both sides have the same key and data is not altered.
Real Debug Output Analysis
Command
debug crypto isakmp
Sample Output
ISAKMP:(0):Aggressive mode peer = 2.2.2.2
ISAKMP:(0): processing SA payload
ISAKMP:(0): processing KE payload
ISAKMP:(0): processing ID payload
ISAKMP:(0): SA established
Explanation (Line-by-Line)
- processing SA payload → Negotiating encryption settings
- processing KE payload → Diffie-Hellman exchange
- processing ID payload → Identity exchange (visible!)
- SA established → Tunnel is ready
Wireshark-Level Understanding (Without Tool)
If you captured packets, you would see:
- UDP 500 traffic
- IKE messages in 3 steps
- Identity visible in packet 1
Interview Questions (Very Important)
Click to Expand
Q1: Why is Aggressive Mode insecure?
Because identity is sent in plaintext and fewer exchanges reduce protection.
Q2: When should you use Aggressive Mode?
When one side has a dynamic IP.
Q3: Difference between Phase 1 and Phase 2?
Phase 1 establishes secure channel, Phase 2 protects data traffic.
Q4: What is QM_IDLE?
Indicates Phase 2 is complete and tunnel is active.
Q5: Common failure reason?
Pre-shared key mismatch or ACL mismatch.
Advanced Troubleshooting Tips
- Check NAT-T (UDP 4500)
- Verify ISAKMP policies match
- Check transform-set mismatch
- Ensure interesting traffic ACL is correct
show crypto session
show crypto ikev1 sa
Troubleshooting
- Check pre-shared key mismatch
- Verify ACLs
- Check NAT issues
- Use debug commands
debug crypto isakmp
debug crypto ipsec
Related Articles
Conclusion
Aggressive Mode is useful in dynamic IP scenarios but should be used carefully due to security trade-offs.
No comments:
Post a Comment