Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19414
Views
0
Helpful
18
Replies

IKE Aggressive mode what is this?

Go to solution
whiteford
Level 1
Level 1

‎11-02-2007 06:45 AM - edited ‎03-03-2019 07:23 PM

Hi, I have just scanned one of our routers public address, this is a Cisco 877 ADSL router in VPN mode to a Cisco Concentrator and get this vulnerability, what does it mean?

Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

THREAT:

IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:

Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.

SOLUTION:

IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

Labels:
0 Helpful
18 Replies 18

Go to solution
whiteford
Level 1
Level 1
In response to Richard Burts

‎11-05-2007 11:15 AM

Hi Rick, here it is, let me know if you find anything else that concerns you.

Preview file
13 KB
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to whiteford

‎11-05-2007 11:46 AM

Andy

Thanks for the additional output. The presence of statements like this referencing Main Mode

Nov 5 19:12:42.702: ISAKMP:(0:21:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

and the lack of any messages referencing aggressive mode are proof that this connection does not use aggressive mode and thus the vulnerability is minimized.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
whiteford
Level 1
Level 1
In response to Richard Burts

‎11-05-2007 12:08 PM

Thanks again Rick, however do you think this is anything to worry about:

Nov 5 19:12:42.702: ISAKMP:(0:21:SW:1): vendor ID seems Unity/DPD but major 194 mismatch

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to whiteford

‎11-05-2007 12:43 PM

Andy

No it is not anything to worry about. I see it lots of times and have not yet found any negative impact from it. I believe that it is cosmetic.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card