Aggressive mode

An aggressive mode exchange is comprised of three messages, as shown in Figure 1.

Aggressive mode exchanges the same information as Main mode, with the exception of the following:

• In Aggressive mode, the initiator can send only one proposal. In Main mode, the initiator can send a list of proposals.
• In Aggressive mode, only three messages are exchanged instead of six messages as in Main mode.
  • Message 1 of Aggressive mode contains all the information that was contained in messages 1 and 3 of Main mode, plus the identity information sent in message 5 of Main mode.
  • Message 2 of Aggressive mode contains all the information sent in messages 2, 4, and 6 of Main mode.
  • Message 3 of Aggressive mode contains the authentication information that was contained in message 5 of Main mode.
• In Aggressive mode, no messages are required to be encrypted. Message 3 can be sent encrypted, but doing so provides little additional protection. In Main mode, messages 5 and 6 are required to be encrypted. The ISAKMP servers send their identity in messages 5 or 6 of Main mode. The result is that Main mode protects the identity of the ISAKMP servers while Aggressive mode does not. Aggressive mode provides a mechanism to exchange certificates when signature-based authentication is used. This mechanism is not shown in Figure 1 but works in the following way. In message 2 the responding ISAKMP server can include the certificate it used to create its signature. In message 3, the initiating ISAKMP server can include the certificate it used to create its signature. Inclusion of the certificates is optional unless the peer of the ISAKMP server explicitly requests that the certificate be sent.