IKE Scan results against ASA and Concentrator

Unanswered Question
Jul 29th, 2008

Hi,

I have just used a helpful tool over the internet called IKE-Scan from http://www.nta-monitor.com/tools and I get these results back from my ASA and Concentrator, what do they mean? Is this showing what my equipment is advertising and should I be worried?

ASA

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.4

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.4 Main Mode Handshake returned HDR=(CKY-R=aad08e4146225eb3) SA=(En

c=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.109 seconds (9.17 hosts/sec). 1 retur

ned handshake; 0 returned notify

Concentrator

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.5

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.5 Main Mode Handshake returned HDR=(CKY-R=816b07de783cb2d2) SA=(En

c=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) V

ID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.171 seconds (5.85 hosts/sec). 1 retur

ned handshake; 0 returned notify

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Wed, 07/30/2008 - 00:54

Hi,

This is nothing to worry about. I think that by default the VPN devices are replying to ISAKMP request from all Internet devices.

However, you can change that if you enable filtering on the outside interfaces of the devices allowing UDP 500, 10000, 4500 and IP 50 only from legitimate VPN peers.

Please rate if this helped.

Regards,

Daniel

whiteford Wed, 07/30/2008 - 01:40

Thanks, I will leave it, but how come it finds c=3DES Hash=SHA1 Group=2:modp1024?

I have that enabled plus AES256, does it just show the first it gets a response from?

Daniel Voicu Wed, 07/30/2008 - 06:17

Hi,

The ISAKMP proposals have a seq number.

The device (ASA/Concentrator) receives the request from that program (the request contains a sequence of proposals that the program builds, in a specific order) and the device answers with the first match, matching all the proposals from the peer with its first ISAKMP seq, then with the second and so on.

Therefore, even if you have the first seq a strong one (AES), if the peer only proposes 3DES, it will match your 3DES configured seq.

Please rate if this helped.

Regards,

Daniel

Actions

This Discussion