From: stephen@dino.dnsalias.com   
      
   "Paul D.Smith"  writes:   
   > Can someone tell me what the correct ISAKMP response to an Aggressive Mode   
   > offer is if the receiving VPN server does not support Aggressive Mode?   
      
   I'm not sure what you mean by "the correct ISAKMP response is" since   
   the RFC (2408) allows the receiver to do one or more of the following :-   
      
     1 silently ignore the aggressive-mode request.   
      
     2 log an INVALID PROPOSAL in whatever passes for a log system on the   
       receiver.   
      
     3 send the initiator a NO-PROPOSAL-CHOSEN informational message.   
      
   If 3 occurs then the initator should not take any notice of it because   
   (unless this is a rekey) the response will not be   
   encrypted&authenticated and thus could be spoofed.  Even if 3 occurs   
   in order to help a human diagnose the problem when they only have   
   access to the initiator, there is no guarantee of delivery since there   
   is no retransmission timer for it, and the receiver may rate limit its   
   responses to further requests.   
      
   > The background to this is a Cisco VPN client offering Aggressive Mode to a   
   > Netgear router that only supports Main Mode.   
      
   If the Cisco VPN client is offering both aggressive and main then the   
   Netgear is wrong not to accept the aggressive-mode.  If the Cisco only   
   sends aggressive then the Netgear is correct to reject it.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)