Correct response to Aggressive Node if not supported

Can someone tell me what the correct ISAKMP response to an Aggressive Mode offer is if the receiving VPN server does not support Aggressive Mode?

The background to this is a Cisco VPN client offering Aggressive Mode to a Netgear router that only supports Main Mode.

Thanks, Paul DS.

Reply to
Paul D.Smith
Loading thread data ...

I'm not sure what you mean by "the correct ISAKMP response is" since the RFC (2408) allows the receiver to do one or more of the following :-

1 silently ignore the aggressive-mode request. 2 log an INVALID PROPOSAL in whatever passes for a log system on the receiver. 3 send the initiator a NO-PROPOSAL-CHOSEN informational message.

If 3 occurs then the initator should not take any notice of it because (unless this is a rekey) the response will not be encrypted&authenticated and thus could be spoofed. Even if 3 occurs in order to help a human diagnose the problem when they only have access to the initiator, there is no guarantee of delivery since there is no retransmission timer for it, and the receiver may rate limit its responses to further requests.

If the Cisco VPN client is offering both aggressive and main then the Netgear is wrong not to accept the aggressive-mode. If the Cisco only sends aggressive then the Netgear is correct to reject it.

Reply to
Stephen J. Bevan

...snip...

Stephen,

Thanks for your answer. Does this mean that there is no fall back from Aggressive to Main mode possible? I hadn't appreciated that the initial offer could contain both.

Paul DS.

Reply to
Paul D.Smith

There is no concept of a fall back from Aggressive to Main in IKE/ISAKMP. The closest you can get to that is having the responder configured to accept both modes. How that is configured is implementation dependent.

Sorry, I got them the wrong way around (that's what I get for posting early in the morning): as noted above it is the responder that can be configured with both aggressive and main mode. The initiator can only offer one, at least within a single negotiation. In theory the initiator can offer both in the sense that it can try one (say aggressive) and if it doesn't negotiate within some configurable limit try the other. However, I'm not aware of such a client.

Reply to
Stephen J. Bevan

...snip...

Stephen, thanks for clarifying. The background to this is that the Cisco VPN Client with shared key tries Aggressive Mode but my Netgear DG834G only supports Main Mode. Unfortunately the Netgear doesn't like the Cisco offer and the Cisco doesn't like the Netgear response (to the extend that it drops it, according to the logs) and keeps retrying the Aggresssive Offer.

My "cunning plan" is to investigate whether there is a suitable response to the Aggressive Mode offer that will make the Cisco client then try Main Mode. This is a vanity project and as much for my education as anything else.

Thanks again, your answer should be very useful. Paul DS.

Reply to
Paul D.Smith

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.