Re: Aggressive/Main mode proposal

[Joern Sierwald <joern@f-secure.com>]

At 15:41 31.10.2003 -0500, Casey Carr wrote:
>Can anyone clear up an IKE proposal issue for e? If two secure gateways 
>are configured with the same KE proposal parameters with the exception 
>that one is configured for main ode and the other is configured for 
>aggressive mode, can a valid IKE proposal be negotiated? Im assuming that 
>regardless of which SG nitiates, the result would be a main mode Phase 1. 
>Correct? Thanks, Casey

Not at all, I'm afraid. The result is implementation-dependent.
Several things could happen:
(1)
The responder only accepts its configured mode. With this implementation,
the negotiation will fails, regardless which SG initiates.
(2)
The responder doesn't care about the mode, it accepts both. Both
directions would work
(3)
The responder accepts both directions, but with limitations regarding the
initiators ID. Our own software (VPN+) will always accept aggressive mode,
but for main mode the responder will do a policy lookup with just the IP 
address.
Thus, if the policy only says "let C=DE, CN=Joern in with RSA, AES, and 
group 14",
main mode will not work, because the responder would have to choose the group
before it receives the ID.
(4)
The implementation might regard one of the modes to be "more secure"
and the responder might allow a config mismatch due to that reason. Only
one direction would work.
(5)
Some implementations support only one of the two modes.

Jörn