topic Re: Vulnerability in router C2921 in Network Security

Vulnerability in router C2921

Leftz — Thu, 31 Mar 2022 16:48:11 GMT

Hi We have a router C2921. When tenable scan vulnerability, we got the following info. Not sure if its vpn configuration issue. Anyone can provide suggestions to resolve it? Thank you

of a VPN gateway and gain unauthorized access to private networks.

The remote Internet Key Exchange (IKE) version 1 service seems to

- Disable Aggressive Mode if supported.

Re: Vulnerability in router C2921

balaji.bandi — Wed, 30 Mar 2022 15:09:27 GMT

Can you post the output :

show crypto ikev1 sa

Re: Vulnerability in router C2921

Rob Ingram — Wed, 30 Mar 2022 15:13:10 GMT

@Leftz it may show up as vulnerable in a report, but unless you have an IKEv1 remote access VPN it's likely not a problem.

Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable"

Use IKEv2 which does not use aggressive mode.

Re: Vulnerability in router C2921

Leftz — Wed, 30 Mar 2022 15:44:43 GMT

Thank you for your reply.

@balaji.bandi, command show crypto ikev2 sa shows nothing there. and command show crypto ikev1 sa cannot be used

@Rob Ingram, Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable" ---- Can this command impact something else?

Re: Vulnerability in router C2921

balaji.bandi — Wed, 30 Mar 2022 15:50:33 GMT

can you post your config to look what tunnel configured here.

Re: Vulnerability in router C2921

Rob Ingram — Wed, 30 Mar 2022 15:53:29 GMT

@Leftz use "show crypto isakmp sa" if "show crypto ikev1 sa" cannot be used.

As stated aggressive mode is only used with ikev1 remote access vpn. If you provide the output of "show crypto isakmp sa" it will determine whether Main Mode (MM) or Agressive Mode (AM) was used.

Re: Vulnerability in router C2921

Leftz — Wed, 30 Mar 2022 19:43:25 GMT

Please see the below:

A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)

Re: Vulnerability in router C2921

balaji.bandi — Wed, 30 Mar 2022 20:59:55 GMT

as suggest you using MM - so you can delete :

crypto isakmp aggressive-mode disable

Re: Vulnerability in router C2921

Leftz — Wed, 30 Mar 2022 21:18:35 GMT

What aggressive mode should be like when using command show crypto isakmp sa? Thank you

Re: Vulnerability in router C2921

balaji.bandi — Thu, 31 Mar 2022 10:27:59 GMT

The following four modes are found in IKE main mode

MM_NO_STATE* – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
MM_SA_SETUP* – Both peers agree on ISAKMP SA parameters and will move along the process
MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
MM_KEY_AUTH* – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.

The following three modes are found in IKE aggressive mode

AG_NO_STATE** – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
AG_INIT_EXCH** – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.
AG_AUTH** – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.

Re: Vulnerability in router C2921

Leftz — Thu, 31 Mar 2022 15:50:54 GMT

Thank you balaji. Can we say both modes: main mode and aggressive mode are enabled at the same time by default, or just have to be ONE mode enabled?

Re: Vulnerability in router C2921

Rob Ingram — Thu, 31 Mar 2022 15:55:14 GMT

@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.

AM is legacy and generally only used for IKEv1 Remote Access VPN.

From your output you've confirmed your VPN are using MM, so AM is not in use.

Re: Vulnerability in router C2921

Leftz — Wed, 06 Apr 2022 15:54:56 GMT

@Rob Ingram Thank you for your explanation!

Actually there are three kinds of mode in the device. MM, AM, and Quick mode. The QM is similar with AM. So in this device, can we still disable AM?

Re: Vulnerability in router C2921

Rob Ingram — Wed, 06 Apr 2022 16:28:36 GMT

@Leftz no that's incorrect AM is not simlar to QM. AM or MM are used in IKEv1 Phase 1 to form the IKE SA.

QM is used in Phase 2 to form the IPSec SA, which can only be established if the IKE SA has been successfully formed using MM/AM.

Re: Vulnerability in router C2921

Leftz — Wed, 06 Apr 2022 20:08:36 GMT

Thank you Rob. You are right. Looks like "QM_IDLE" is only expression of active tunnel, but when it show "QM_IDLE" with command show crypto isakmp sa, how can we know if it is MM or AM since MA or AM can go into QM?