Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RSA-SIG to replace Pre-Shared Keys

We recently had a third party vulnerability assessment done on our perimeter security devices (PIX 515e and 506e). The findings indicate the Pre-Shared Key can be elicited from our PIX devices due to Aggressive-Mode being enabled. IKE-SCAN is able to pull the PSK quite easily. Cracking is not successful due to our password complexity settings (8 characters, must include 1 captial, 1 number and 1 non-alpha numeric). Doing my homework, it appears this is a normal behavior when using Pre-Shared Keys in the isakmp policy.

What I am looking for is documentation on switching to RSA-SIG. Is it possible to use our internal PKI or do we need to purchase pricey certificates from an third party vendor such as Verisign? If we can use our internal PKI, how would the configuration be done?

Some background on our environment:

We use PIX 500 series devices to establish site-to-site connectivity as a backup for our MPLS network. The VPN topology is fully meshed so each PIX has a crypto map for each other site (PIX OS 6.3(4)) and a Total of 13 sites).

Any insight on this is appreciated.

CreatePlease to create content