User guide
122 Chapter 4. Configuring Special Features
Main Mode and Aggressive Mode
The router supports two Phase 1 IKE modes: main mode and aggressive mode. These modes apply only to the
Phase 1 negotiations, not to the ensuing data transmission.
Main mode is used when both source and destination IP addresses are known. In main mode, only two options
require definition initiallyÑthe remote peer IP address and the shared secret.
Aggressive mode is used when either the source or destination IP address could change, as with a remote modem
or DSL connection. In aggressive mode, additional information must be specified at the beginning of a session.
This additional information includes the remote gatewayÕs IP address, the local and remote peer IDs, and an ID
type. This information is checked against the routerÕs Security Association (SA) database. If a match is found, a
tunnel session can be established.
Additional IKE Settings
In addition to the peer identification and shared secret described earlier, IKE requires that the router be configured
with the following information:
¥ Session authentication
¥ Phase 1 IKE message authentication
¥ Phase 1 IKE message encryption
¥ One of the following for each IKE proposal:
ÑIPSec AH packet authentication
ÑIPSec ESP data authentication
ÑIPSec ESP data encryption
ÑIPSec ESP data authentication and data encryption
¥ Diffie-Hellman key generation group
¥ IPSec policy (filter) setup
¥ Policy and peer associations
¥ Policy and proposal associations
Phase 1 IKE Ñ Main Mode:
Router Router
Fixed IP Address
Fixed IP Address
Shared secret
Phase 1 IKE Ñ Aggressive Mode:
Router Router
Fixed IP Address
Shared secret
Known ID (e-mail addr.
or domain name)