Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3856
Views
0
Helpful
2
Replies

Weak IPsec Encryption

Mmiselo
Level 1
Level 1

‎05-27-2020 06:26 PM

Good day,

 

Our Cisco Router 1921 Series failed PCI scans on Weak IPsec Encryption Settings port 500/udp. More information on the scan results,

 

THREAT:

This host contains an ISAKMP/IKE key exchange server to negotiate encryption keys for IPsec Virtual Private Networks (VPNs). The configuration of the server allows clients to establish VPN connections with insecure encryption settings or key lengths. Once established, these connections may allow remote malicious users with access to the VPN data stream to recover the session key used in the connection by performing brute-force key space searches.
Note: This QID will be reported as a Potential Vulnerability (not as a Vulnerability) on some versions of IOS because an ISAKMP SA with weak settings can be established first, and then rejected later by a policy check. Without having VPN authentication credentials, it is impossible to differentiate between this type of setup and a setup that truly allows ISAKMP SA with weak settings.


IMPACT:

A malicious user with access to the VPN data stream may be able to recover the session key of a VPN connection. This would then provide access to all data sent across the VPN connection, which may include passwords and sensitive files.

 

SOLUTION:

Disable the encryption algorithm "DES" (key length of 56 bits) and the key exchange algorithm DH768 (MODP768). Secure replacements are 3DES and DH2048. MSFT has further details under Microsoft Guidance : What is IPSEC?.
Patch: Following are links for downloading patches to fix the vulnerabilities:
bb531150: MSFT IPSEC

 

RESULT:

Algorithm Description
DES Data Encryption Standard (56 bits)
DH768(MODP768) Diffie-Hellman Key Exchange with 768 bits

 

These are the IPSec parameters we have,

 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5

 

crypto isakmp key D0MM7MNn7t address *
crypto isakmp key T676uR17G0nN7c7B address *

 

crypto ipsec transform-set * esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set * esp-3des esp-sha-hmac
mode tunnel
!


crypto map BOB 40 ipsec-isakmp
set peer *
set security-association lifetime seconds 1800
set transform-set *
match address 5
crypto map BOB 60 ipsec-isakmp
set peer *
set security-association lifetime seconds 86400
set transform-set *
set pfs group2
match address 1

 

There is is no DES or group 1 configured on tunnels. May you please help advise on the possible remediation.

 

Regards

Nel

Labels:
0 Helpful
2 Replies 2

marce1000
VIP
VIP

‎05-27-2020 11:26 PM

 

 - Check if this thread can be helpful :

     https://community.cisco.com/t5/vpn/isakmp-allows-weak-ipsec-encryption-settings-ipsec-weak/td-p/2932582

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

dominiclugg
Level 1
Level 1

‎05-28-2020 03:55 AM

Have a look at this link: https://tools.cisco.com/security/center/resources/next_generation_cryptography

Cisco describes this algorithm as Legacy. 

I would recommend using the NGE algorithms. Also take note of the Diffee Helman group. The groups you are using are listed as 'Avoid' by cisco. DH group 21 is the strongest.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents