Page 51 of VPN-1.pdf under catalogue Docs of CD. such an article under have:
Phase I modes
VPN-1 supplies two modes for IKE phase I between Gateways:
• Main Mode
• Aggressive Mode
If aggressive mode is not selected, VPN-1 defaults to main mode, performing the IKE negotiation using six packets; aggressive mode performs the IKE negotiation with three packets.
Main mode is preferred because:
• Main mode is partially encrypted, from the point at which the shared DH key is known to both peers.
• Main mode is less susceptible to Denial of Service (DoS) attacks. In main mode, the DH computation is performed after authentication. In aggressive mode, the DH computation is performed parallel to authentication. A peer that is not yet authenticated can force processor intensive Diffie-Hellman computations on the other peer. (For more information on IKE DoS attacks, see: ˇ°IKE DOS Protectionˇ±)
Note - Aggressive mode is provided for backwards compatibility with pre-NG remote access clients. Also use aggressive mode when a VPN-1 Gateway needs to negotiate with third party VPN solutions that do not support main mode.
According to the suggestion of page 56 of VPN-1.pdf (as follows), I configure IKE phase I into aggressive mode, but Main mode authentication that sees or using from the log record of SmartView Tracker, why is this??? Ask should how is it is it let IKE phase I work in aggressive mode to make sure to configure. Ask the method of configure urgently.
Configuring Advanced IKE Properties
IKE is configured in two places:
• On the VPN community network object (for IKE properties).
• On the Gateway network object (for subnet key exchange).
On the VPN Community Network Object
1 VPN Properties page, select:
• Encryption methods for IKE phase I and II
• Integrity methods for IKE phase I and II
2 On the Advanced Properties page, select:
• Which Diffie-Hellman group to use.
• When to renegotiate the IKE Security Associations.
• Whether to use aggressive mode (Main mode is the default).
• Whether to use Perfect Forward Secrecy, and with which Diffie-Hellman group.
• When to renegotiate the IPSec security associations.
Both sides must support aggressive mode or it will not work.
Nobody that I know of use "aggressive mode" anymore. It is a security risk that you must avoid. Cisco IOS and Pix firewalls also support main mode. In fact, you should use "main mode" when setting up site-to-site vpn when talking to a non checkpoint firewall.
What you posted looks corect. If you want to use aggressive mode, just check the box. I tested it with a site-to-site vpn between checkpoint firewalls with aggressive mode enable and it works.
