Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
5
Helpful
3
Replies

ASA uses crackable transforms

Go to solution
Mokhalil82
Level 4
Level 4

‎03-04-2019 08:40 AM - edited ‎02-21-2020 08:53 AM

Hi

I have a PCI compliancy vulnerability that states

"Your firewall/VPN system allows a crackable transform to be used. Transforms are a combination of encryption cipher, hashes, authentication types and mod key exchanges.
This is used to support encryption over a VPN connection. Crackable transforms (e.g. using DES or DH Group 1) could potentially be attacked by users."

 

How can I go about disabling certain transform sets. I have 3 IPSEC VPNs on the firewalls. One of the VPNs does have DES and 3DES available in the proposal, can I just remove DES from the proposal without affecting the VPN. What other action may be required.

 

TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-04-2019 09:06 AM - edited ‎03-04-2019 09:43 AM

Hi,
Do you control both devices at either end of the VPN?

You need to determine whether those algorithms are actually in use. For those 3 VPN's check the output of
"show crypto ikev1 sa" or "show crypto isakmp sa" and "show crypto ipsec sa" and determine from there which algorithms are in use. If not in use you can remove them.

 

You should probably look to use at least AES-GCM or AES-CBC encryption, SHA-256 integrity and DH group 19 or 21 etc.

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎03-04-2019 09:06 AM - edited ‎03-04-2019 09:43 AM

Hi,
Do you control both devices at either end of the VPN?

You need to determine whether those algorithms are actually in use. For those 3 VPN's check the output of
"show crypto ikev1 sa" or "show crypto isakmp sa" and "show crypto ipsec sa" and determine from there which algorithms are in use. If not in use you can remove them.

 

You should probably look to use at least AES-GCM or AES-CBC encryption, SHA-256 integrity and DH group 19 or 21 etc.

HTH

Go to solution
Mokhalil82
Level 4
Level 4
In response to Rob Ingram

‎03-06-2019 12:59 PM

Hi

 

I don not manage the other end of the VPN, so am I right in saying that I will need to check whether any of the tunnels use an crackable transform, and then liaise with the other party to work on re-configuring both ends to use more secure transforms?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Mokhalil82

‎03-06-2019 01:19 PM

Hi,
Yes, that's correct. Using the commands previously provided should identify which tunnel is using what algorithms and you can proceed from there.

HTH
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card