Correct response to Aggressive Node if not supported

Correct response to Aggressive Node if not supported
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.vpn  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Correct response to Aggressive Node if not supported Paul D.Smith 09-17-2007
Posted by Paul D.Smith on September 17, 2007, 5:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Can someone tell me what the correct ISAKMP response to an Aggressive Mode
offer is if the receiving VPN server does not support Aggressive Mode?

The background to this is a Cisco VPN client offering Aggressive Mode to a
Netgear router that only supports Main Mode.

Thanks,
Paul DS.



NMFall 20%
Posted by Stephen J. Bevan on September 18, 2007, 9:56 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Can someone tell me what the correct ISAKMP response to an Aggressive Mode
> offer is if the receiving VPN server does not support Aggressive Mode?

I'm not sure what you mean by "the correct ISAKMP response is" since
the RFC (2408) allows the receiver to do one or more of the following :-

1 silently ignore the aggressive-mode request.

2 log an INVALID PROPOSAL in whatever passes for a log system on the
receiver.

3 send the initiator a NO-PROPOSAL-CHOSEN informational message.

If 3 occurs then the initator should not take any notice of it because
(unless this is a rekey) the response will not be
encrypted&authenticated and thus could be spoofed. Even if 3 occurs
in order to help a human diagnose the problem when they only have
access to the initiator, there is no guarantee of delivery since there
is no retransmission timer for it, and the receiver may rate limit its
responses to further requests.

> The background to this is a Cisco VPN client offering Aggressive Mode to a
> Netgear router that only supports Main Mode.

If the Cisco VPN client is offering both aggressive and main then the
Netgear is wrong not to accept the aggressive-mode. If the Cisco only
sends aggressive then the Netgear is correct to reject it.

Posted by Paul D.Smith on September 18, 2007, 11:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
...snip...

> If the Cisco VPN client is offering both aggressive and main then the
> Netgear is wrong not to accept the aggressive-mode. If the Cisco only
> sends aggressive then the Netgear is correct to reject it.

Stephen,

Thanks for your answer. Does this mean that there is no fall back from
Aggressive to Main mode possible? I hadn't appreciated that the initial
offer could contain both.

Paul DS.



Posted by Stephen J. Bevan on September 18, 2007, 9:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Thanks for your answer. Does this mean that there is no fall back from
> Aggressive to Main mode possible?

There is no concept of a fall back from Aggressive to Main in
IKE/ISAKMP. The closest you can get to that is having the responder
configured to accept both modes. How that is configured is
implementation dependent.


> I hadn't appreciated that the initial offer could contain both.

Sorry, I got them the wrong way around (that's what I get for posting
early in the morning): as noted above it is the responder that can be
configured with both aggressive and main mode. The initiator can only
offer one, at least within a single negotiation. In theory the
initiator can offer both in the sense that it can try one (say
aggressive) and if it doesn't negotiate within some configurable limit
try the other. However, I'm not aware of such a client.

Posted by Paul D.Smith on September 19, 2007, 3:34 am
If you were  Registered and logged in, you could reply and use other advanced thread options
...snip...
>> I hadn't appreciated that the initial offer could contain both.
>
> Sorry, I got them the wrong way around (that's what I get for posting
> early in the morning): as noted above it is the responder that can be
> configured with both aggressive and main mode. The initiator can only
> offer one, at least within a single negotiation. In theory the
> initiator can offer both in the sense that it can try one (say
> aggressive) and if it doesn't negotiate within some configurable limit
> try the other. However, I'm not aware of such a client.

Stephen, thanks for clarifying. The background to this is that the Cisco
VPN Client with shared key tries Aggressive Mode but my Netgear DG834G only
supports Main Mode. Unfortunately the Netgear doesn't like the Cisco offer
and the Cisco doesn't like the Netgear response (to the extend that it drops
it, according to the logs) and keeps retrying the Aggresssive Offer.

My "cunning plan" is to investigate whether there is a suitable response to
the Aggressive Mode offer that will make the Cisco client then try Main
Mode. This is a vanity project and as much for my education as anything
else.

Thanks again, your answer should be very useful.
Paul DS.




other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map