If the Use Aggressive Mode check box in the IKE Properties dialogue box is enabled:
A.
The standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange.
B.
The standard three-packet IKE Phase 2 exchange is replaced by a six-packet exchange.
C.
The standard three-packet IKE Phase 1 exchange is replaced by a six-packet exchange.
D.
The standard six-packet IKE Phase 2 exchange is replaced by a three-packet exchange.
E.
The standard three-packet IKE Phase 3 exchange is replaced by a six-packet exchange.
Explanation:
ISAKMP Phase 1: SA Negotiation
In Phase 1 of the SA negotiation, the firewalls involved in the VPN negotiate an
SA that is used to encrypt and authenticate Phase 2 exchanges. Phase 1 is a CPUintensive
process, and by default VPN-1 performs it only once every 1,440
minutes (24 hours). VPN-1 supports two modes for Phase 1: aggressive mode ,
which exchanges three packets; and main mode (the default mode in NG),
in which six packets are exchanged. The three-packet difference is due to
a cookie exchange that precedes the actual SA negotiation. The cookie
exchange identifies the parties involved in the VPN, thus preventing man-in-themiddle
attacks (to which the Diffie-Hellman key exchange is vulnerable). The
SA that is negotiated includes the keys, authentication, and encryption methods.Phase 1 negotiates the following:
_ The encryption algorithm (the choices are DES, 3DES, AES,
and CAST)
_ The hash algorithm (the choices are MD5 or SHA1)
_ The Diffie-Hellman group (the choices are Group 1, 2, or 5). The addition
of DH group choices in NG increases the likelihood that a VPN
tunnel can be established with non-Check Point firewalls.
Diffie-Hellman groups are used to determine the length of the base prime
numbers used during the key exchange. The strength of any key derived
depends in part on the strength of the Diffie-Hellman group on which the
prime numbers are based. The larger the group, the stronger the key-but,
conversely, the more CPU-intensive the computation.
The second step in Phase 1 is the exchange of public keys and the use of
the Diffie-Hellman key calculation to generate the shared secret key. The
shared secret key is used to authenticate each firewall’s identity. This is
accomplished by hashing and encrypting the firewall’s identity with the
shared secret key. If the identity of each firewall is authenticated, then we
move on to Phase 2.