Wired Intelligent Edge (Campus Switching and Routing)

Aruba Employee

Switch from ipsec aggressive-mode to main-mode, rap3.



IKEv1 aggressive mode is flagging on our pen-testing for our RAP3's. We'd like to switch to IKEv2 or otherwise disable aggressive mode. 


Anyone have any experience with this? Is it as simple as disableing it in CLI, and the built in certificates will take over? 


The primary and secondary controller public IP's are static, the remote endpoints are residential DHCP, if that helps. 

MVP Guru

Re: Switch from ipsec aggressive-mode to main-mode, rap3.

What is the actual problem? As far as I know, having IKEv1 Aggressive mode is not a problem by itself, only if you use PSK authentication with weak PSK.


Automated scanning tools, that many auditors use, are known to provide false positives. They detect an enabled feature or use version information to make assumptions that are not true in all circumstances. So first step is to find out if it is a real security vulnerability in this situation. If you use the certificate-based authentication with the TPM certificate, there is no way to brute-force the PSK in IKEv1 as there is no PSK in that case. As far as I see, even if you use a long-random PSK, the risk is limited.


Please first work with the auditor, and then with Aruba TAC to get a solution.


If you, or your auditors, think to have found a vulnerability, please contact the Aruba Security Incident Response team to report.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Aruba Employee

Re: Switch from ipsec aggressive-mode to main-mode, rap3.

Trying to disable IKEv1 aggressive mode due to inherrent vulnerability in 'aggressive' handshake. Looked over documentation and AP status and saw that everything is using IKEV2, so I went ahead and disabled aggressive mode via CLI. Should be resolved. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: