Thursday, March 29, 2012

Cisco ASA: Aggressive Mode and Main Mode

I was looking at some phase I vpn connections, and I was wondering to myself what "MM_ACTIVE" and "AM_ACTIVE" meant.  Now, I should have known with all the study I have done in the past, but I simply just forgot.  They stand for Main Mode for "MM_ACTIVE" and Aggressive Mode for "AM_ACTIVE".  Below is a sample of what I saw.
ASA# sh cryp isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer:
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE  <---------- Main Mode
2   IKE Peer:
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE  <--------- Aggressive Mode

There is one thing in particular you need to know.  IF you ever disable Aggressive Mode, then you will no longer be able to use pre-shared keys with remote-access users, because the only way to match an identity for remote-access users is with a preshared key.  Keep in mind that if you disable Aggressive Mode, you have to use certificates instead of preshared keys for remote-access users.  So, how do you disable Aggressive Mode?  "crypto ikev1 am-disable"

So, why would you even want to disable Aggressive Mode?  Well, its less secure.  It exchanges the endpoint IDs in clear text instead of establishing the encrypted channel BEFORE exchanging identities (like Main Mode does).  So, if you endpoint ID is your IP address, in Aggressive Mode, it would be in clear text instead of encrypted.  If you are in Main Mode, your endpoint ID (your hostname or IP address) would be encrypted.  DH is used to establish the secure channel if using Aggressive Mode.  Interesting.  Aggressive Mode requires two exchanges totaling three messages whereas Main Mode requires three exchanges totaling six messages.  Aggressive Mode is faster than Main Mode, but again less secure because it doesn't protect the identity of the two vpn parties involved.  But, they do offer the same services, so if you are a user, you wouldn't know the difference.