cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1313
Views
0
Helpful
3
Replies

IKE Scan results against ASA and Concentrator

whiteford
Level 1
Level 1

Hi,

I have just used a helpful tool over the internet called IKE-Scan from http://www.nta-monitor.com/tools and I get these results back from my ASA and Concentrator, what do they mean? Is this showing what my equipment is advertising and should I be worried?

ASA

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.4

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.4 Main Mode Handshake returned HDR=(CKY-R=aad08e4146225eb3) SA=(En

c=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.109 seconds (9.17 hosts/sec). 1 retur

ned handshake; 0 returned notify

Concentrator

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.5

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.5 Main Mode Handshake returned HDR=(CKY-R=816b07de783cb2d2) SA=(En

c=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) V

ID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.171 seconds (5.85 hosts/sec). 1 retur

ned handshake; 0 returned notify

3 Replies 3

5220
Level 4
Level 4

Hi,

This is nothing to worry about. I think that by default the VPN devices are replying to ISAKMP request from all Internet devices.

However, you can change that if you enable filtering on the outside interfaces of the devices allowing UDP 500, 10000, 4500 and IP 50 only from legitimate VPN peers.

Please rate if this helped.

Regards,

Daniel

Thanks, I will leave it, but how come it finds c=3DES Hash=SHA1 Group=2:modp1024?

I have that enabled plus AES256, does it just show the first it gets a response from?

Hi,

The ISAKMP proposals have a seq number.

The device (ASA/Concentrator) receives the request from that program (the request contains a sequence of proposals that the program builds, in a specific order) and the device answers with the first match, matching all the proposals from the peer with its first ISAKMP seq, then with the second and so on.

Therefore, even if you have the first seq a strong one (AES), if the peer only proposes 3DES, it will match your 3DES configured seq.

Please rate if this helped.

Regards,

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: