Re: Aggressive mode fallback to main mode

["Valery Smyslov" <svan@trustworks.com>]

----- Original Message ----- 
From: Saint-Hilaire, Ylian <ylian.saint-hilaire@intel.com>
To: <ipsec@lists.tislabs.com>
Sent: Friday, July 23, 1999 10:51 PM
Subject: Aggressive mode fallback to main mode


> 
> Questions to the group:
> 
> - Is it normal IKE behavior by vendors that don't support aggressive mode to
> process the first message as a main mode message? or MUST you respond to a
> aggressive mode with a "INVALID-EXCHANCE-TYPE". Can an implementation
> initiate in aggressive mode and see if the response is main or aggressive
> and process the rest of the exchange in that mode? (Of course, this limits
> all transforms to having the same DH group, your aggressive mode must be
> correct)

No, IKE doesn't allow you to switch exchange type in the middle of exchange.
If you start with aggressive mode you must continue with it, or abort negotiation
and restart with main mode. 

> - If I initiate in aggressive mode and time out, can I assume that the other
> machine does not support IKE?

Or that the other machine doesn't support error notifications (or for whatever
reason, i.e. shortage of resources, doesn't want to send them). 

> Thanks, Ylian Saint-Hilaire
> Intel (CAL) Communication Architecture Labs

Regards,
Valery.

---

References:

• Aggressive mode fallback to main mode
• From: "Saint-Hilaire, Ylian" <ylian.saint-hilaire@intel.com>

---

• Prev by Date: RE: Secret public keys
• Next by Date: Re: XAUTH is broken
• Prev by thread: Aggressive mode fallback to main mode
• Next by thread: Processing multiple phase 2 SA payloads
• Index(es):
  • Main
  • Thread