Solved: Re: Vulnerability in router C2921

Leftz · ‎03-30-2022

Hi We have a router C2921. When tenable scan vulnerability, we got the following info. Not sure if its vpn configuration issue. Anyone can provide suggestions to resolve it? Thank you

of a VPN gateway and gain unauthorized access to private networks.

The remote Internet Key Exchange (IKE) version 1 service seems to

- Disable Aggressive Mode if supported.

balaji.bandi · ‎03-30-2022

as suggest you using MM - so you can delete :

crypto isakmp aggressive-mode disable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎03-31-2022

@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.

AM is legacy and generally only used for IKEv1 Remote Access VPN.

From your output you've confirmed your VPN are using MM, so AM is not in use.

View solution in original post

balaji.bandi · ‎03-30-2022

Can you post the output :

show crypto ikev1 sa

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎03-30-2022

@Leftz it may show up as vulnerable in a report, but unless you have an IKEv1 remote access VPN it's likely not a problem.

Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable"

Use IKEv2 which does not use aggressive mode.

Leftz · ‎03-30-2022

Thank you for your reply.

@balaji.bandi, command show crypto ikev2 sa shows nothing there. and command show crypto ikev1 sa cannot be used

@Rob Ingram, Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable" ---- Can this command impact something else?

balaji.bandi · ‎03-30-2022

can you post your config to look what tunnel configured here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎03-30-2022

@Leftz use "show crypto isakmp sa" if "show crypto ikev1 sa" cannot be used.

As stated aggressive mode is only used with ikev1 remote access vpn. If you provide the output of "show crypto isakmp sa" it will determine whether Main Mode (MM) or Agressive Mode (AM) was used.

Leftz · ‎03-30-2022

Please see the below:

A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)

balaji.bandi · ‎03-30-2022

as suggest you using MM - so you can delete :

crypto isakmp aggressive-mode disable

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎03-30-2022

What aggressive mode should be like when using command show crypto isakmp sa? Thank you

balaji.bandi · ‎03-31-2022

The following four modes are found in IKE main mode

MM_NO_STATE* – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
MM_SA_SETUP* – Both peers agree on ISAKMP SA parameters and will move along the process
MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
MM_KEY_AUTH* – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.

The following three modes are found in IKE aggressive mode

AG_NO_STATE** – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
AG_INIT_EXCH** – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.
AG_AUTH** – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz · ‎03-31-2022

Thank you balaji. Can we say both modes: main mode and aggressive mode are enabled at the same time by default, or just have to be ONE mode enabled?

Rob Ingram · ‎03-31-2022

@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.

AM is legacy and generally only used for IKEv1 Remote Access VPN.

From your output you've confirmed your VPN are using MM, so AM is not in use.

Leftz · ‎04-06-2022

@Rob Ingram Thank you for your explanation!

Actually there are three kinds of mode in the device. MM, AM, and Quick mode. The QM is similar with AM. So in this device, can we still disable AM?

Rob Ingram · ‎04-06-2022

@Leftz no that's incorrect AM is not simlar to QM. AM or MM are used in IKEv1 Phase 1 to form the IKE SA.

QM is used in Phase 2 to form the IPSec SA, which can only be established if the IKE SA has been successfully formed using MM/AM.

Leftz · ‎04-06-2022

Thank you Rob. You are right. Looks like "QM_IDLE" is only expression of active tunnel, but when it show "QM_IDLE" with command show crypto isakmp sa, how can we know if it is MM or AM since MA or AM can go into QM?