1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. JUNOSE 11.0.X IP SERVICES
  6. Configuration manual

Main Mode And Aggressive Mode; Aggressive Mode Negotiations - Juniper JUNOSE 11.0.X IP SERVICES Configuration Manual

For e series broadband services routers - ip services configuration
Hide thumbs
Table of Contents

Advertisement

IKE is layered on UDP and uses UDP port 500 to exchange IKE information between
the security gateways. Therefore, UDP port 500 packets must be permitted on any
IP interface involved in connecting a security gateway peer.
The following sections expand on the IKE functionality available for the router.

Main Mode and Aggressive Mode

IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE
phase 2 negotiations. IKE uses one of two modes for phase 1 negotiations: main
mode or aggressive mode. The choice of main or aggressive mode is a matter of
tradeoffs. Some of the characteristics of the two modes are:
The next section describes aggressive mode in more detail.

Aggressive Mode Negotiations

During aggressive mode phase 1 negotiations, the E Series router behaves as follows:
Table 13 on page 142 outlines the possible combinations of initiator proposals and
policy rules. As indicated, allowing aggressive mode in a policy rule allows negotiation
to take place no matter what the initiator requests.
Antireplay defense
Main mode
Protects the identities of the peers during negotiations and is therefore more
secure.
Enables greater proposal flexibility than aggressive mode.
Is more time consuming than aggressive mode because more messages are
exchanged between peers. (Six messages are exchanged in main mode.)
Aggressive mode
Exposes identities of the peers to eavesdropping, making it less secure than
main mode.
Is faster than main mode because fewer messages are exchanged between
peers. (Three messages are exchanged in aggressive mode.)
Enables support for fully qualified domain names (FQDNs) when the router
uses preshared keys.
When the router is the initiator, the router searches all policy rules to find those
that allow aggressive mode. The router then selects the rule with the highest
priority and uses the rule to initiate phase 1 negotiations. If there are no policy
rules with aggressive mode allowed, the router selects the highest-priority rule
that allows main mode.
When the router is the responder, the negotiation depends on what the initiator
proposes, as well as what is configured in the policy rules.
Chapter 5: Configuring IPSec
141
IKE Overview

Advertisement

Table of Contents
loading

Related Manuals for Juniper JUNOSE 11.0.X IP SERVICES

Related Content for Juniper JUNOSE 11.0.X IP SERVICES

This manual is also suitable for:

Junose 11.0.x

Table of Contents