How to avoid aggressive mode to be detected in the penetration testing

Aruba Employee


Master-Local/master-Standby setup builds IPSEC tunnel for the communication between them. By default it uses IKEv1 and aggressive mode as the first exchange. Detection of aggressive mode is considered as security flaw in the penetration testing. In order to avoid it we can delete the below statement from the controller.




If IKE default shared key is defined pen test detects aggressive mode.( Advance Services >> VPN Services >> IPSEC >> IKE Shared Secret )

While running a pen test which is available on the web

With Key
[root@localhost ike-scan-1.9]# ike-scan -A
Starting ike-scan 1.9 with 1 hosts (    Aggressive Mode Handshake returned HDR=(CKY-R=b2864bc1d8e9742d) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value= Hash(20 bytes)
Ending ike-scan 1.9: 1 hosts scanned in 0.196 seconds (5.11 hosts/sec).  1 returned handshake; 0 returned notify
Without key
[root@localhost ike-scan-1.9]# ike-scan -A
Starting ike-scan 1.9 with 1 hosts (
Ending ike-scan 1.9: 1 hosts scanned in 2.439 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify
[root@localhost ike-scan-1.9]#

Version history
Revision #:
1 of 1
Last update:
‎07-03-2014 01:59 PM
Updated by:
Labels (1)

Is there any chance that VIA uses this shared secret? I've removed this line, passed our security team scan, and now I'm struggling with my Mac VIA client immediately disconnecting.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.