Need for visibility on the IPsec protocol: aggressive Mode

Hello

I have a few doubts about VPN. I already went through a large number of documents. Everybody says something I don't agree with. So please don't view this kind of material in your answer.

Aggressive mode: what I know, there are 3 Exchange for aggressive mode. Initiator in the first message sends the ID parameters, DH, HIS (IP address, domain name FULL). Then the answering machine (2nd MSG) reacts with the SA settings, DH, ID, HASH_R, then the initiator (3rd MSG) responds with HASH_I and PHASE 1 is established here.

As the initiator and the responder IDs are sent in clear text, so we say that aggressive mode is not course.

DH is used to exchange keys between peers. DH, negotiates and then generate a SECRET_KEY which in turn, is used to encrypt the symmetric key. We have SA parameters for encryption, hash, authentication.

Here are my questions:

(a) all of ITS parameters, IDs, DH traded first and second messages. The third message from the initiator is to send to HASH_I. Now, I don't see at all any use of DH in this mode, no encryption (payload ISAKAMP is not encrypted).  A single phase 1 aims to build a secure layer of management so that the PHASE connection 2 (data connection) may establish under a secure layer (PHASE 1). Now, I see that in aggressive mode we are not able to achieve this secure layer. So, what's the point of having encryption algorithms and DH in PHASE 1 if they are never used? Instead of skip PHASE 1 and we can have the PFS in Phase 2 for serving as a DH and we were hashing algorithms, encryption too.

(b) the PRE SHARED KEY is actually shared via connect using the DH? Or just a HASH of PRE-SHARED-KEY is generated and sent on the connection for authentication?

(c) why the aggressive mode can be used for dynamic addressing and not the main mode?

If please answer queries and correct me if I am wrong somewhere.

Thank you

Rakesh Kumar

(a). theoretically, jumping Phase 1 and done everything in Phase 2 (for aggressive mode only) would probably be a good idea to make it safer.  However, this would require a complete redesign of the IKE protocol.  As you probably already know, aggressive mode is used by default only for VPN remote access, and I've never seen used for a site to any of the customers that I came in contact.  In aggressive mode, in my opinion, would be used only in situations where a large number of VPN tunnels are built and demolished all the time (as with RA VPN) to save on material resources.  But... It is what it is, not a very safe to use method.

(b) the pre-shared key is used to create a hash and this hash is sent to the remote peer.  If the remote peer can create the same hash using its own pre-shared key, then peers know they share the same secrets.  The problem with aggressive mode is that the hash is sent in plain text format, so if an attacker is able to capture these data they could preform a brute force offline attack.

(c). I think that this has to do with the fact that the aggressive mode sends its identity in text clear and not must therefore not be pre-configured as a peer answer as it does with tunnels with addresses static at both ends.

--

Please do not forget to select a correct answer and rate useful posts

Tags: Cisco Security

Similar Questions

  • Need for speed - error: the game has stopped working?

    everytime I open the need for speed, the race. It does not open and says that "the game has stopped working.

    Original title: program compatibility Application Applications App Apps game games Legacy Crash crashes Hang hangs

    Hello

    1. How did you install Need for Speed on the computer?

    2 did you download and install it from the Internet or that you have installed by using the CD/DVD set?

    3. which edition of the game that you are using?

    4. don't you make changes to the computer before the show?

    Please follow the steps below.

    Method 1:

    I suggest you to place the computer in a clean boot state and check if you are able to play the game. You can start Windows Vista or Windows 7 by using a minimal set of drivers and startup programs. This type of boot is known as a "clean boot". A clean boot helps eliminate software conflicts.

    How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7

    http://support.Microsoft.com/kb/929135

    NOTE: after the troubleshooting steps, please return the computer to start as usual (see STEP 7 the above link)

    Method 2:

    Try to update the graphics card drivers and check if it works very well.

    Click on the link below.

    Updated a hardware driver that is not working properly

    http://Windows.Microsoft.com/en-us/Windows7/update-a-driver-for-hardware-that-isn ' t-work correctly

    Method 3:

    Try to reinstall the game and check if it works very well.

    Click on the link below.

    Install a program

    http://Windows.Microsoft.com/en-us/Windows7/install-a-program

    I suggest also please contact the manufacturer of game for assistance.

    http://support.EA.com/

  • Allow the Ipsec Protocol in ISP

    Hi guys,.

    I am trying to establish a site-to-site ipsec tunnel. I asked the ISP to allow the Protocol ip between an aet B site.

    I would like to know if ISP open it Ip Protocol if it passes all the required protocol ipsec tunnel and for that I need to ask them to open SPECIFIC protocols below

    50 - encapsulation header (ESP)

    51 - authentication Header (AH)

    500/udp - Internet Key Exchange (IKE)

    4500/udp - NAT traversal

    Thanks in advance

    Just to clarify Javier is correct, IPsec is the layer 3 protocol to which ESP and AH belong, not IP.

    Sorry to disagree with you and Javier (this time).

    ESP is an encapsulation over IP (IP-protocol is 50). So your rug will be what ETH-IP-ESP. TCP (Protocol IP-6) is also at the top of the intellectual property, the battery will be ETH-IP-TCP. The two (and IP GRE/47, AH IP/51, IP ICMP/1...) share the same IP protocol.

    If ESP and AH was not based on intellectual property, but something else, they could not be routed through an IP network.

    And if you use an ACL with "license ip any any", all of these protocols are included. Plese try it in a laboratory to make sure that.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Need for reports and the analysis down server move to a different server

    I lost my original for RA and re-installed server components on another server, however, when I try to access the workspace site, I get the message * "did not find a server Hyperion Reporting and analysis 'former name of the server running" at the port of 6800. Please check your connection string server and confirm that the server is configured. *

    I re - run the Setup and configuration without result. Is there a configuration file that I have to update somewhere?

    This essentially means that the HSS register always points to the old name of the server for the RA_FRAMEWORK component. You will need to check through the report of registry if there several instance of the RA registered (one with the old server) framework and the other with the new server. If Yes, you can remove the old a registry through the epmsys_registry command line tool and reconfigure with the new server.

    If you need help with the same, if it please raise a SR with Oracle support and should be able to guide you through.

  • Need for RegExp on the chain

    Hello world

    It's Vijay and I need reg expression on the below mentioned the word.

    Example:

    ISBN: 978-0-596-80252-3

    Reg expression has been

    reISBN = / (ISBN [\:\=\s] [\s] * (? = [-0 - 9xX] {13}) (?: [0-9] + [-]) {3} [0-9] * [xX0-9]) | (ISBN [\:\=\s] [] * \d{9,10}[\d|x])/g;)

    Need for reg Expression...

    School code: 12345678

    reScode =?

    Any help would be much appreciated.

    -yajiv

    Sorry if I misunderstood. Your question is a bit confusing and my English isn't the best.

    ISBN:\s? [0 - 9xX-] {17} there is for example

    ISBN: 978-0-596-80252-3

    School Code: \s\d {8} there is for example

    School code: 12345678

  • Satellite U400D-201 - need for electricity from the day before

    Hello

    Toshiba does not provide XP drivers for laptop Turion based!
    I bought the laptop U400d-201 and spent ages running under XP.

    Still can't find Power Saver utility to work on my machine. I guess that not everything will work?

    Hello

    I m wondering that you want to install Windows XP on this laptop new and very fast. I think that Windows Vista works well on this laptop.
    I have a Satellite U400 (the same as you but with Intel CPU) with Vista 64 bit. I m very satisfied with this combination.

    In any case, I think that the drivers, you will need to collect on external Web sites. Maybe, you can find some drivers that they work on your laptop.

    On the energy-saving, I can suggest only you should try the U400. Maybe this works on your laptop too.
    But don t forget, maybe this tool is designed for Intel processors only

    Welcome them

  • Need for information of the motherboard of Equium A60

    Hello
    I'm trying to find out about my motherboard, I an Equium A60-155 , and I was wondering if someone could help me

    Hello

    I recommend also using a 3rd party hardware diagnostic program.
    I also use Everest and is providing useful information on every piece of hardware on my laptop.
    I put t know what information you need, but I'm sure the Everest will help you. Also if you have need of this compatible motherboard or a number of reference so you can ask the ASP for the compatible motherboard.

  • Need for treatment of the base image, but only have Linux

    Hello, I am pretty inexperienced and working on a project in which a device is attached to a moving stage of XY. The goal is for the camera to track toward moving below real-time, then follow them. To do this, I need a very basic image processing. However, I don't know how to order the engines for the X - Y stage without a tool only Linux, so I use Linux LabVIEW, which apparently does not support the NI Vision or MATLAB script nodes. I need to make a basic image processing (described below) very quickly, using the images I capture in LabVIEW. I know that Python, Java, MATLAB and c a little. Now all I can think is to make a C library that makes the treatment (despite my relative inexperience), then calling it a LabVIEW. That would be good because LabVIEW can pass the image of C by reference, while I do not know how to interface with MATLAB or Python without, say, a TCP connection, which would not be able to use pass by reference (I think?) Are there other ways to achieve this? Perhaps a clever way to interface with MATLAB, or is there a way to get the Vision in LabVIEW for Linux? Most importantly, it's just to find the center of mass of the very black worm, so it should be easy: simply restrict the image of a region of interest, threshold, choose the largest connected blob and calculate the center of mass. However, I might later want also to seek points of calibration on the image; I think it would be easier to just pull long, straight lines, under the camera, then detect those somehow. Thank you!


  • PLEASE CLARIFY! Need for clarification on the app's installation folder

    Hi all

    I noticed that on some devices such as the Bold 9780, the application after the installation appears on the homescreen on Curve 8520, it appears inside the download folder.

    So I want to know on devices on which it gets on the homescreen and on which he gets in the download folder?

    This device is dependent on?

     

    This is according to the guidelines of my knowledge, dependent on the device.

    Thanks in advance.

    Memory, file download was introduced in one of the 4 OS later releases, an assumption OS 4.5.  It is present until the 5.0 OS.  So, you can check if it is there or not by the level of the OS.  I think that if take you devices running OS 5.0 and earlier have this, that will work for the vast majority of phones out there.  But if you are developing for OS 4 devices, just check the simulators to determine where the icon appears.

  • Need for clarification on the use of BlackBerry Code signing keys?

    We will use the same key for several applications developed by our care? Or should get us the key for each application that we will deploy on BB devices?

    Thank you

    You can use it on more than one application and deploy it on several devices.

    It is limited to a single machine, I mean a signature key can be installed on a machine.

  • Problem scanner PORTABLE Asus and Cannon lide110 Please HELP NEED FOR WORK IN THE MORNING Thank YOU

    I have an asus laptop and I have to scan ID and things of that nature for work. I use the canon lide110 scanner to scan and when I do it scans while he presents himself as one of the predefined p [ictures that are on the computer when buy you them...] How do I see what I scanned to import it into my photo file?

    Hi Amanda,.

    You have installed the drivers for your Canon lide110 scanner?

    I suggest to follow the steps below and we update on the State of the question.

    Method 1: Run the corner hardware store and check.

    http://Windows.Microsoft.com/en-in/Windows7/open-the-hardware-and-devices-Troubleshooter

    If you have not installed the Scanner driver, go to method 2.

    Method 2: We will install the driver application and scanner Canon Scanner.

    See the following links:

    Version of driver Scanner LiDE 110 17.0.4

    http://www.Canon-Europe.com/support/Consumer_Products/products/scanners/LiDE_series/CanoScan_LiDE_110.aspx?DLtcmuri=TCM:13 - 831503 & page = 1 & type = download

    Solution Menu EX version 1.4.0

    http://www.Canon-Europe.com/support/Consumer_Products/products/scanners/LiDE_series/CanoScan_LiDE_110.aspx?DLtcmuri=TCM:13 - 831523 & page = 1 & type = download

    If you have additional questions, or if this problem persists, come in and we will be happy to help you.

  • need for documentation of the following components... ?

    Hi all

    Where can I find the documentation for the following components... ? Not in the API... ?


    / ATG/commerce/Order/Purchase/CartModifierFormHandler
    / ATG/commerce/Order/ShoppingCartModifier
    / ATG/commerce/Order/Purchase/RepriceOrderDroplet
    / ATG/commerce/Order/Purchase/ShippingGroupFormHandler
    / ATG/commerce/Order/Purchase/ShippingGroupDroplet

    etc...

    I can't find them in the guides of CommerceStoreGuide or PageDevelopmentGuide or all programs... Happy if you can provide information on them...


    Thanks in advance,
    Laurie Bovilla

    CartModifierFormHandler http://docs.oracle.com/cd/E26180_01/Platform.94/ATGCommProgGuide/html/s1003understandingthecartmodifierform01.html
    ShippingGroupDroplet http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGCommStoreGuide/html/s1660shippinggroupdroplet01.html
    RepriceOrderDroplet http://docs.oracle.com/cd/E24152_01/Platform.10-1/ATGCommStoreGuide/html/s1655repriceorder01.html
    ShippingGroupFormHandler http://docs.oracle.com/cd/E23095_01/Platform.93/apidoc/atg/commerce/order/purchase/ShippingGroupFormHandler.html

    It will be useful.
    -RMishra

  • Need for clarification on the cost of ESXi

    Hi all.  I am very new to virtualization and just downloaded and set up a machine with ESXi.  I am looking for a free solution, that I can use to run a couple of test with virtualization servers.  So, I installed ESXi and started the server where I got the message to go to the x.x.x.x ip address to manage the server.  First of all, is the only way to manage / create new virtual machines via a client?  For example, if I was just to start the machine with an iso of the OS into the drive, could I install like I did on a normal machine?

    So when I went to the management of the web page it tells me to download vSphere client.  This seems to be a great tool, but when I load it I get a message sayig "your evaluation license will expire in 60 days!  So this means that ESXi is not free?  Or vSphere isn't free?  I googled and searched all over this forum and even in a post asking the same question the answer was not clear for me.  Is is possible to do what I want, create and manage a few virtual, free test with vmware servers?  What is free / what is not?  Can someone please explain this in simple terms?  Thanks in advance.

    You are limited to how many VM, you will be able to run only by material resources, you have in the host server. If you have a powerful enough host, with enough memory (RAM) and storage, you can run VM 10-15 s on it. That's assuming that it's a pretty host recently built, or one built with the right equipment. I'm under VM 9's at the moment, which are a mixture of Windows and Linux releases. This includes the vMA (for some CLI features for the host). Windows servers are a mix of 32 and 64 bits, most of them being editions of 2003, but also a 2008 edition (Enterprise, 64-bit, soon to be my Exchange 2010 server)...

    You will not have things like vMotion, storage vMotion, HA, how vCPU's you will be able to give each VM, etc. with free ESXi 4 license... For use on a single host, it is not much of a question (see Storage available vMotion makes moving between much easier data warehouses). I don't know there are other articles that you have really only get with licensed versions. Look at this article for a few explanations of the differences between the free editions ESX, ESXi and ESXi...

    VMware VCP4

    Review the allocation of points for "useful" or "right" answers.

  • need for clarification to the free developer license of technology Exchange Developer

    Hello

    could you please specify what is the developer for vSphere Standard product license?  do you mean ESX v4 standard edition? any other license?

    Thank you.

    Kong

    Kong - Thank you for asking it is for vSphere Standard as described in page 4 http://www.vmware.com/files/pdf/vsphere_pricing.pdf

    Hope this helps, see you then...

    Kind regards

    Pablo

  • My Windows Update does not seem to recognize the need for updates

    My Windows Update does not seem to recognize the need for updates to the programs... This has happened for a long time. It will only recognize the updates of Microsoft Security Essentials, but when he checks the updates it points only to the basics of security. I don't know there are updates that Microsoft Updates jumps...

    msft777jf,

    Check the 2nd Tuesday of each month - later in the day. (after 10:00 Pacific time)

    06/06 / 1107:38: 16 pm

Maybe you are looking for