cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19237
Views
0
Helpful
18
Replies

IKE Aggressive mode what is this?

whiteford
Level 1
Level 1

Hi, I have just scanned one of our routers public address, this is a Cisco 877 ADSL router in VPN mode to a Cisco Concentrator and get this vulnerability, what does it mean?

Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

THREAT:

IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:

Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.

SOLUTION:

IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

1 Accepted Solution

Accepted Solutions

Andy

Thanks for the additional output. The presence of statements like this referencing Main Mode

Nov 5 19:12:42.702: ISAKMP:(0:21:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

and the lack of any messages referencing aggressive mode are proof that this connection does not use aggressive mode and thus the vulnerability is minimized.

HTH

Rick

HTH

Rick

View solution in original post

18 Replies 18

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi, they are just saying if your shared key is easy to guess, your are at risk. Not really any news so far. So they say:

Otherwise a strong pre-shared key should be chosen.

Hope this helps, please rate post it it does!

Thanks, thing is it's 11 letters long. It includes letters, numbers, capital letters and symbols.

Do I need to encrypt the config or something?

Andy

I do not believe that you need to encrypt the config or anything like that. As Paolo explains the "vulnerability" is about the ability to brute force attack (try to guess the passwords) and you are more vulnerable with weak pre-shared keys. If your key is 11 characters with letters, numbers, and symbols then it sounds pretty strong.

There are two modes of ISAKMP negotiation for phase 1 negotiation. They both achieve the same basic things but aggressive mode requires fewer message exchanges to do it. The vulnerability suggests that you not use aggressive mode. Your Cisco will use whichever mode is used on the device that connects. For site to site VPN aggressive mode is rarely used but for the client based remote access VPN aggressive mode is more common.

I really do not think that there is anything that you need to do about this.

HTH

Rick

HTH

Rick

Great thanks, can I rate both replies??

Andy

As far as I know you should be able to rate both replies.

Thanks

HTH

Rick

HTH

Rick

Hi, how many letters do you normally use? An example of one I no longer use is - #p0pu1at10n

Is this ok?

How do I know if my router in site-to-site mode is or isn't connecting to our concentrator in aggressive mode?

Andy

In my experience IPSec connections from a router to a concentrator generally do not use agressive mode. I guess that if you want to be sure you would need to run debug on the IPSec negotiation.

HTH

Rick

HTH

Rick

Hi Rick, what is the command for that, i have looked for something like debug ipsec, bu no luck?

Thanks

Andy

It is a bit tricky to spot because the ipsec is a parameter behind crypto in the debug command. So try debug crypto ipsec.

HTH

Rick

HTH

Rick

Just tried "debug crypto ipsec" and stopped the VPN then started it again, but nothing appeared on the router, am I doing this right?

Andy

When you say that you stopped and started the VPN can you be specific about how you stopped it and restarted it? I would have thought that stopping and starting the VPN would have produced some debug output.

Also can you confirm that you had done terminal monitor before doing the debug and stopping and restarting the VPN? (or that you enabled logging buffered debug and then did show log after stopping and starting the VPN)

HTH

Rick

HTH

Rick

Sorry, my lack of knowledge, still learning. Need to start my CCNA (ICDN1).

Output is attached.

Andy

Thanks for posting the output. I am glad to see that it is now producing debug output.

I do not believe that there is aggressive mode in the negotiation. Looking at what I suggested I realize that I should have also suggested debug crypto isakmp to give a full picture of how the negotiation is being done. Can you also run debug crypto isakmp and post the output?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco