A couple of years ago, a team of security experts released a paper describing an attack that can break an IKEv1 Aggressive Mode Pre-Shared Key connection using an attack that would not equally have been possible with an IKEv1 Main Mode Pre-Shared Key connection, leading to the incorrect assumption that Aggressive Mode is inherently insecure. This claim, however, is not backed up by objective facts. What most people don't know, part of that attack was the ability to guess the Pre-Shared Key (PSK) using a brute force attack and such a brute force attack can only be successful if the PSK is weak. A PSK is also just a password and as with every password, choosing a weak password always leads to poor security. As long as your PSK is at least 14 characters long (the longer the better), consists out of lower case letters, upper case letters and digits, and was randomly generated, so it's impossible to somehow guess it, and as long as your Phase 1 hash algorithm is at least SHA1 (or better, we recommend SHA-256 if possible), there's absolutely no reason to consider IKEv1 Aggressive Mode with Pre-Shared Key as less secure than IKEv1 Main Mode with Pre-Shared Key. If you want to be even more secure, switch to certificate based authentication instead of PSK if possible as then the attack is not possible at all.
Technical background:
The Pre-Shared Key (PSK) is not a password used for encryption of any data, it's used for authentication, just when you log in to a website using a username and a password. During Phase 1, both sides must prove to each other to know the PSK. This cannot be done by just sending it to the other side, as if the other side didn't know it before, it will know it after receiving it. Instead both sides calculate a number (a hash digest) out of data they exchanged so far (data that will be different every time you start a new connection, which ensures the calculated value will be as well) and the PSK. Only this digest is send to other side. The other side can now verify that digest by performing the same calculations and comparing the result with the digest received. If both are equal, the sender must have used the same PSK in the calculation, which proves knowledge of the PSK. Then the receiver also calculates such a digest, using a slightly different formula as before, leading to an entirely different result, and sends it back in reply to also prove its knowledge.
The differences between Main Mode and Aggressive Mode is simply that in Main Mode the digest is exchanged encrypted because the session key exchange already negotiated a session encryption key when the digest is exchanged, whereas in Aggressive Mode it is exchanged unencrypted as part of the key exchange that will lead to a session key. By snooping the connection establishment of an Aggressive Mode connection, the attackers were able to get the digest as well as all values required to calculate that digest, except for the PSK itself. Please note that this alone doesn't mean the connection is broken already, it only means that the attackers now have enough data to start guessing the PSK using a brute force or dictionary attack. Only if the PSK is too weak to withstand those attacks and the attackers are able to correctly guess it, the connection will be broken. That's why a good, secure PSK is essential.
The same attack is in fact also possible with a Main Mode PSK connection, it just requires some extra work. For a Main Mode connection it's not enough to just snoop the traffic, the attackers would need to perform a so called Man-in-the-Middle (MitM) attack, allowing them to capture and manipulate all traffic exchanged. By performing a MitM attack, attackers can break the key exchange and thus will be able to decrypt all the exchanged packets. Doing so will not make it possible to break into your VPN, they still need to know the PSK for that, otherwise they cannot successfully authenticate to the other side and then Phase 1 will never complete, but that way they can get all the information required to start guessing on the PSK, just as in case of a an Aggressive Mode connection. And if an attacker is already able to snoop on your VPN traffic (which is required to attack Aggressive Mode), it's very likely that attacker is equally possible to perform a MitM attack and in that case using Main Mode will not offer you any additional protection.
A PSK out of 11 random alphanumeric characters offers an entropy of approx. 64 bits, that's 2^64 possible values. Modern high end graphics adapter (as of 2015) can calculate in the order of 1 billion SHA-256 hashes a second. On average one has to try 50% of all possible values to find a match, wich would be about 292 years. Yet if the attackers have an array of 100 such graphics adapters, it would "only" be around 3 years. If the PSK is 14 characters, the entropy is about 80 bits and you are already at 19,154,798 years. Now even having 10,000 graphics adapters would help a lot. Also one must consider the costs of such an attack, which is not so much the cost of buying all these graphics adapters, rather their power consumption when all these graphics adapters run at maximum current 24 hours a day and that for years, decades, or even centuries. The power costs will be billions of dollar and all that to just break one single PSK connection in the entire world. And whenever you change the PSK, an attacker must start all over, so if you change the PSK regularly, let's say once a year, an attacker has at most one year to find it; that's very ambitious, even for a weak PSK.
