Main Mode and Aggressive Mode

IKE phase 1 negotiations are used to establish IKE SAs. These SAs protect the IKE phase 2 negotiations. IKE uses one of two modes for phase 1 negotiations: main mode or aggressive mode. The choice of main or aggressive mode is a matter of tradeoffs. Some of the characteristics of the two modes are:

• Main mode
  • Protects the identities of the peers during negotiations and is therefore more secure.
  • Enables greater proposal flexibility than aggressive mode.
  • Is more time consuming than aggressive mode because more messages are exchanged between peers. (Six messages are exchanged in main mode.)
• Aggressive mode
  • Exposes identities of the peers to eavesdropping, making it less secure than main mode.
  • Is faster than main mode because fewer messages are exchanged between peers. (Three messages are exchanged in aggressive mode.)
  • Enables support for fully qualified domain names (FQDNs) when the router uses preshared keys.

The next section describes aggressive mode in more detail.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.