In the national secret standard GMT 0022-2014 IPSec VPN technical specification, the definition of the exchange type in the IPsec IKE process assigns a value of 2 to the main mode, and a value of 32 to the quick mode-quick mode. There is no exchange type with a withdrawal allocation value of 4 in the standard. In practical applications, the exchange type is often 4 in the first phase of IKE, which is the so-called aggressive mode.
The difference between the main mode and the aggressive mode in the first stage of IKE is that the latter only needs 3 message transfers, which is considered "barbaric" compared to the 6 message transfers in the main mode. The main mode has been analyzed in detail before, here is a specific look at the brutal mode.
main mode | 6 messages Main Mode |
(1)HDR,SA (2)HDR,SA,Cert_sig_r,Cert_enc_r (3) HDR, XCHi, SIGi (4)HDR,XCHr.SIGr (5) HDR*, HASHi (6) HDR*, HASHr |
brutal mode | 3 messages Agressive Mode |
(1) HDR, SA, KEi, Ni, IDi (2)HDR,SA,KEr,Nr,IDr,Cert_r,SIGr (3)HDR*,HASH |
Due to the small number of messages passed in aggressive mode, each pass must contain more content. Aggressive mode message 1 is sent by the initiator, which includes not only the HDR header and SA, but also Key exchange, Nonce and Identification.
Aggressive mode message 2 is sent by the responder, first HDR and SA, followed by KEr, Nr, Cer_sig_r/Cer_enc_r, SIGr. After the identity authentication and parameter exchange of message 1 and message 2, the working key is obtained, and message encryption starts from message 3.
Message 3 starts to be encrypted, and sends and returns HASH to confirm the consistency.