I conducted a vulnerability test against Cisco VPN Concentrator 3060 and it hsows the following vulnerability.
I have enabled only the remote access VPN and no site to site VPN.
How can I remove this vulnerability?
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ernw.de/download/pskattack.pdf (http://www.ernw.de/download/pskattack.pdf).
SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.