cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2129
Views
10
Helpful
14
Replies

Vulnerability in router C2921

Leftz
Level 4
Level 4

Hi We have a router C2921. When tenable scan vulnerability, we got the following info. Not sure if its vpn configuration issue. Anyone can provide suggestions to resolve it? Thank you

 

of a VPN gateway and gain unauthorized access to private networks.

The remote Internet Key Exchange (IKE) version 1 service seems to

- Disable Aggressive Mode if supported.

 

 

 

 

2 Accepted Solutions

Accepted Solutions

as suggest you using MM - so you can delete :

 

crypto isakmp aggressive-mode disable

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.

AM is legacy and generally only used for IKEv1 Remote Access VPN.

From your output you've confirmed your VPN are using MM, so AM is not in use.

View solution in original post

14 Replies 14

balaji.bandi
Hall of Fame
Hall of Fame

Can you post the output :

 

show crypto ikev1 sa

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Leftz it may show up as vulnerable in a report, but unless you have an IKEv1 remote access VPN it's likely not a problem.

 

Aggressive mode can be disabled using - "crypto isakmp aggressive-mode disable"

 

Use IKEv2 which does not use aggressive mode.

Leftz
Level 4
Level 4

Thank you for your reply.

 

@balaji.bandi, command show crypto ikev2 sa shows nothing there. and command show crypto ikev1 sa cannot be used 

@Rob IngramAggressive mode can be disabled using - "crypto isakmp aggressive-mode disable" ---- Can this command impact something else? 

 

can you post your config to look what tunnel configured here.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Leftz use "show crypto isakmp sa" if "show crypto ikev1 sa" cannot be used.

 

As stated aggressive mode is only used with ikev1 remote access vpn. If you provide the output of "show crypto isakmp sa" it will determine whether Main Mode (MM) or Agressive Mode (AM) was used.

Leftz
Level 4
Level 4

Please see the below: 

 

A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)

 

 

 

as suggest you using MM - so you can delete :

 

crypto isakmp aggressive-mode disable

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

What aggressive mode should be like when using command show crypto isakmp sa? Thank you

 

The following four modes are found in IKE main mode

  • MM_NO_STATE* – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
  • MM_SA_SETUP* – Both peers agree on ISAKMP SA parameters and will move along the process
  • MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
  • MM_KEY_AUTH* – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately.

The following three modes are found in IKE aggressive mode

  • AG_NO_STATE** – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
  • AG_INIT_EXCH** – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet.
  • AG_AUTH** – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leftz
Level 4
Level 4

Thank you balaji. Can we say both modes: main mode and aggressive mode are enabled at the same time by default, or just have to be ONE mode enabled? 

@Leftz yes both MM and AM are enabled as default in IKEv1, you need to explictly disable the command previously provided.

AM is legacy and generally only used for IKEv1 Remote Access VPN.

From your output you've confirmed your VPN are using MM, so AM is not in use.

Leftz
Level 4
Level 4

@Rob Ingram   Thank you for your explanation!

Actually there are three kinds of mode in the device. MM, AM, and Quick mode. The QM is similar with AM. So in this device, can we still  disable AM? 

@Leftz no that's incorrect AM is not simlar to QM. AM or MM are used in IKEv1 Phase 1 to form the IKE SA.

QM is used in Phase 2 to form the IPSec SA, which can only be established if the IKE SA has been successfully formed using MM/AM.

Leftz
Level 4
Level 4

Thank you Rob. You are right. Looks like "QM_IDLE" is only expression of active tunnel,  but when it show "QM_IDLE" with command show crypto isakmp sa, how can we know if it is MM or AM since MA or AM can go into QM? 

Review Cisco Networking for a $25 gift card