May 23, 2012

Posts Comments

You are here: Home / Archives for VPN

IKEv1 Aggressive Mode vs. IKEv1 Main Mode

April 20, 2011 By Leave a Comment

The question often comes up regarding the differences between IKE aggressive mode and IKE main mode. The answer is pretty simple. In this post we break down IKEv1 aggressive mode and main mode differences and provide a recommendation based on using the more scalable and more secure solution.

The Breakdown

Aggressive mode requires two exchanges totaling three messages whereas Main mode requires three exchanges totaling six messages. If you’re wondering what the difference is, or why you would even care, it all boils down to the level of security you desire. While the two offer the same services its Main mode that protects the identity of the communicating parties. Aggressive mode does not provide protection for the communicating parties. This means that the peers have to exchange information prior to establishing a secure SA.
In the end, Main mode is slower because of the more lengthy exchange. But alas, it is more secure.

What Should I Do?

You may wish to disable IKEv1 aggressive mode. If you do there is something else to consider. If using a Cisco IPsec VPN Client you will no longer be able to authenticate using pre-shared keys. So, if you don’t mind using digital certificates then go for it.

To disable IKEv1 aggressive mode you will need to type the following: 

crypto ikev1 am-disable

Filed Under: CCSP Study, Security, Studies In VPN Tagged With: , , , ,

New Video: Comparing Crypto Maps and VTI’s Part 2

April 15, 2011 By Leave a Comment

In this video I show the configuration of a site-to-site IPsec VPN using static VTI interfaces. I really like using this method because its very straight forward in my eyes. You dont have to use ACL’s to define what gets encrypted but you can use them to filter what goes across the tunnel. Find more information on VTI interface at Cisco.com in the 12.4T documentation


Filed Under: CCIE Security, Studies In VPN Tagged With: , , ,

New Video: Comparing Crypto Maps and VTI’s Part 1

April 6, 2011 By Leave a Comment

I’m trying something new here.  I seem to do that alot!  Let me explain why.  Basically it takes to long to type up a full post and worry about all the screenshots and command line snippets to be able to get you good content quickly.  And the since the members area of Global Config is video focused I have gotten quite a bit faster at creating videos and editing them.  So, here is the first of what I hope will become a number of video tutorials.

This one covers Crypto Map configurations for a site-to-site VPN between two routers.  In the second video I’ll cover the VTI configuration for comparison.



Useful Links:
Become a Member
How to Configure IPSec VPN’s (Cisco.com)

Filed Under: CCIE Routing and Switching, CCIE Security, General, Studies In VPN Tagged With: , , , , ,
« Older Posts