Cisco Support Community
Community Member

Disable DES on Cisco Concentrator?

Hi, we have a potential vulnerability on our Cisco Concentrator, can I disable DES?

Weak IPsec Encryption Settings port 500/udp


This host contains an ISAKMP/IKE key exchange server to negotiate encryption keys for IPsec Virtual Private Networks (VPNs). The configuration of the server allows clients to establish VPN connections with insecure encryption settings or key lengths. Once established, these connections may allow remote malicious users with access to the VPN data stream to recover the session key used in the connection by performing brute-force key space searches.


This QID will be reported as a Potential Vulnerability (not as a Vulnerability) on some versions of IOS because an ISAKMP SA with weak settings can be established first, and then rejected later by a policy check. Without having VPN authentication credentials, it is impossible to differentiate between this type of setup and a setup that truly allows ISAKMP SA with weak settings.


A malicious user with access to the VPN data stream may be able to recover the session key of a VPN connection. This would then provide access to all data sent across the VPN connection, which may include passwords and sensitive files.


Disable the encryption algorithm "DES" (key length of 56 bits) and the key exchange algorithm DH768 (MODP768). Secure replacements are 3DES and DH1024.


Re: Disable DES on Cisco Concentrator?

You can turn it off so that no tunnel can ever negotiate to use it, but you can't disable it entirely. You can deactivate all IKE proposals that have DES encryption specified, leaving only the IKE proposals that have 3DES or AES. Go to: Configuration | Tunneling and Security | IPSec | IKE Proposals

and deactivate any and all IKE Proposals that reference DES.

CreatePlease to create content