exchange-mode

Function

The exchange-mode command configures the IKEv1 phase 1 negotiation mode.

The undo exchange-mode command restores the default IKEv1 phase 1 negotiation mode.

By default, the main mode is used.

exchange-mode { aggressive | main | auto }

undo exchange-mode

Parameter	Description	Value
aggressive	Configures the aggressive mode.	-
main	Configures the main mode.	-
auto	Configures the auto-sensing mode. The main mode is used if the device serves as the initiator. If the device serves as the responder, both the main mode and aggressive mode can be used.	-

IKE peer view

2: Configuration level

Two key exchange and negotiation modes are defined in IKEv1 phase 1:

In main mode, key exchange information is separated from identity and authentication information to protect identity information.
In aggressive mode, only three messages are exchanged. Therefore, IKE SAs can be set up more quickly in aggressive mode. However, the first two messages exchanged in aggressive mode are not encrypted, and identity authentication is transmitted in plain text. This brings security risks.
In auto-sensing mode, a device can accept either the main or aggressive mode to improve the success rate of IKE negotiation.

When selecting a negotiation mode, you can determine the main or aggressive mode based on network requirements:

In the scenario where multiple pre-shared keys are configured in the IKE user table, if the IP address of the negotiation initiator is unknown or unstable and the two ends expect to set up SAs using the pre-shared key, only the aggressive mode can be used.
If the initiator knows the policy of the responder, IKE SAs can be set up more quickly in aggressive mode.

# Configure the aggressive IKE negotiation mode for the IKE peer peer1.

<sysname> system-view
[sysname] ike peer peer1
[sysname-ike-peer-peer1] exchange-mode aggressive