|
Home > Archive > VPN > September 2007 > Correct response to Aggressive Node if not supported
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Correct response to Aggressive Node if not supported
|
|
| Paul D.Smith 2007-09-17, 7:14 am |
| Can someone tell me what the correct ISAKMP response to an Aggressive Mode
offer is if the receiving VPN server does not support Aggressive Mode?
The background to this is a cisco VPN client offering Aggressive Mode to a
Netgear router that only supports Main Mode.
Thanks,
Paul DS.
| |
| Stephen J. Bevan 2007-09-18, 1:12 pm |
| "Paul D.Smith" <paul_d_smith@x-hotmail.com> writes:
> Can someone tell me what the correct ISAKMP response to an Aggressive Mode
> offer is if the receiving VPN server does not support Aggressive Mode?
I'm not sure what you mean by "the correct ISAKMP response is" since
the RFC (2408) allows the receiver to do one or more of the following :-
1 silently ignore the aggressive-mode request.
2 log an INVALID PROPOSAL in whatever passes for a log system on the
receiver.
3 send the initiator a NO-PROPOSAL-CHOSEN informational message.
If 3 occurs then the initator should not take any notice of it because
(unless this is a rekey) the response will not be
encrypted&authenticated and thus could be spoofed. Even if 3 occurs
in order to help a human diagnose the problem when they only have
access to the initiator, there is no guarantee of delivery since there
is no retransmission timer for it, and the receiver may rate limit its
responses to further requests.
> The background to this is a cisco VPN client offering Aggressive Mode to a
> Netgear router that only supports Main Mode.
If the cisco VPN client is offering both aggressive and main then the
Netgear is wrong not to accept the aggressive-mode. If the cisco only
sends aggressive then the Netgear is correct to reject it.
| |
| Paul D.Smith 2007-09-18, 1:12 pm |
| ....snip...
> If the cisco VPN client is offering both aggressive and main then the
> Netgear is wrong not to accept the aggressive-mode. If the cisco only
> sends aggressive then the Netgear is correct to reject it.
Stephen,
Thanks for your answer. Does this mean that there is no fall back from
Aggressive to Main mode possible? I hadn't appreciated that the initial
offer could contain both.
Paul DS.
| |
| Stephen J. Bevan 2007-09-19, 1:14 am |
| "Paul D.Smith" <paul_d_smith@x-hotmail.com> writes:
> Thanks for your answer. Does this mean that there is no fall back from
> Aggressive to Main mode possible?
There is no concept of a fall back from Aggressive to Main in
IKE/ISAKMP. The closest you can get to that is having the responder
configured to accept both modes. How that is configured is
implementation dependent.
> I hadn't appreciated that the initial offer could contain both.
Sorry, I got them the wrong way around (that's what I get for posting
early in the morning): as noted above it is the responder that can be
configured with both aggressive and main mode. The initiator can only
offer one, at least within a single negotiation. In theory the
initiator can offer both in the sense that it can try one (say
aggressive) and if it doesn't negotiate within some configurable limit
try the other. However, I'm not aware of such a client.
| |
| Paul D.Smith 2007-09-19, 7:14 am |
| ....snip...
>
> Sorry, I got them the wrong way around (that's what I get for posting
> early in the morning): as noted above it is the responder that can be
> configured with both aggressive and main mode. The initiator can only
> offer one, at least within a single negotiation. In theory the
> initiator can offer both in the sense that it can try one (say
> aggressive) and if it doesn't negotiate within some configurable limit
> try the other. However, I'm not aware of such a client.
Stephen, thanks for clarifying. The background to this is that the Cisco
VPN Client with shared key tries Aggressive Mode but my Netgear DG834G only
supports Main Mode. Unfortunately the Netgear doesn't like the cisco offer
and the cisco doesn't like the Netgear response (to the extend that it drops
it, according to the logs) and keeps retrying the Aggresssive Offer.
My "cunning plan" is to investigate whether there is a suitable response to
the Aggressive Mode offer that will make the cisco client then try Main
Mode. This is a vanity project and as much for my education as anything
else.
Thanks again, your answer should be very useful.
Paul DS.
|
|
|
|
|