10-19-2012 06:45 AM - edited 03-04-2019 05:54 PM
I have a 3des crypto map and 3des transform set on a router. We had an audit done that said we were running des on the router. I am not seeing it, since I have only one tunnel. Could I just block des on the ACL? If so what port?
10-19-2012 06:49 AM
check that you are not still allowing a des connection on your crypto-map.
Can you post your config?
10-19-2012 07:09 AM
Sorry I should have posted it.
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 25
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set vendor esp-3des esp-md5-hmac
crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac
crypto map vendors client authentication list userauthen
crypto map vendors isakmp authorization list groupauthor
crypto map vendors client configuration address respond
crypto map vendors 30 ipsec-isakmp
description connection to Sap OSS
set peer XXXXX
set security-association lifetime seconds 7200
set transform-set SAPoss
match address SAPOSS
p access-list extended SAPOSS
permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx
permit ip host xx.xxx.xx.xx host xxx.xxx.xxx.xxx
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 25
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set vendor esp-3des esp-md5-hmac
crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac
crypto map vendors client authentication list userauthen
crypto map vendors isakmp authorization list groupauthor
crypto map vendors client configuration address respond
crypto map vendors 30 ipsec-isakmp
description connection to Sap OSS
set peer xxx.xx.xxx.xxx
set security-association lifetime seconds 7200
set transform-set SAPoss
match address SAPOSS
p access-list extended SAPOSS
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xxx
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx
permit ip host xxx.xxx.xx.xx host xxx.xxx.xxx.xxx
10-19-2012 10:26 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Your auditor might be "seeing" the default crypto policy, which might be DES.
I.e.
#sh crypto isakmp pol
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 2
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
10-19-2012 12:15 PM
Yes there is a default, what are the commands to remove it? Thanks again
10-19-2012 02:18 PM
I tried no crypto isakmp default policy but it didn't work. The version is
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
SAPoss uptime is 50 weeks, 2 days, 35 minutes
System returned to ROM by power-on
System restarted at 15:25:13 CDT Wed Nov 2 2011
System image file is "flash:c2800nm-advsecurityk9-mz.124-25b.bin"
10-19-2012 05:49 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm unaware of a method to negate the default policy, but what the default policy supports is an encrypted connection to use DES, that's not the same as having, or permitting, a session to use DES. The latter is controlled by your session key and session source.
10-19-2012 10:50 PM
Dear Tracy,
Please check this out:
crypto isakmp default policy
To enable default policies for Internet Security Association and Key Management Protocol (ISAKMP) protection suite, use the crypto isakmp default policy command in global configuration mode. To disable the default IKE policies, use the no form of this command.
crypto isakmp default policy
no crypto isakmp default policy
Syntax Description
This command has no arguments or keywords.
Command Default
The default ISAKMP policies are enabled.
Command Modes
Global configuration (config)
Command History
Release | Modification |
---|---|
12.4(20)T | This command was introduced. |
Cisco IOS XE Release 2.4 | This command was implemented on the Cisco ASR 1000 series routers. |
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1051491
Please mark this post as answered and rate any helpful posts.
Portu
Message was edited by: Javier Portuguez
10-20-2012 05:17 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Javier great information! I've rated it as a 5.
However, feature introduced in 12.4(20)T and original poster, in a later post, notes he is using 12.4(25b). I.e. doesn't solve the issue for him unless he upgrades his IOS.
10-20-2012 08:54 AM
Hi Joseph,
Thanks for taking the time to rate my post!
At this point I think that most likely a newer platform must be purchased in order to run the latest 15.x code version.
Thanks.
Portu
10-20-2012 11:39 AM
At this point I think that most likely a newer platform must be purchased in order to run the latest 15.x code version.
Not really. ISR routers can run up to 15.1(4)M. The OP is running very old code.
10-21-2012 02:11 AM
And be aware of the fact that the default-policies in 12.4(20)T are different to the default-policy in previous versions. The defaults in the newer IOS are quite fine if you still feel comfortable with DH5 and DH2 (but 3DES and MD5 are also included, so it's really best to disable them).
Sent from Cisco Technical Support iPad App
10-21-2012 04:31 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
(but 3DES and MD5 are also included, so it's really best to disable them).
I can see disabling "weak" default encryption polices to preclude "accidentally" using a "weak" encryption policy, but do you see any other reasons to be particularly concerned?
10-21-2012 04:50 AM
I can see disabling "weak" default encryption polices to preclude "accidentally" using a "weak" encryption policy, but do you see any other reasons to be particularly concerned?
The main problem I see is also the misconfiguration. But for a paranoid security-guy it shouldn't be ignored that a MitM-attacker could manipulate the phase-one packets and remove the strong algorithms. But that was more relevant in older IOS where DES was the default (and most of the times not relevant as the default was also RSA-SIG).
In any case, I think having a rule in logcheck available that looks for the relevant syslog entries (CRYPTO-6-IKMP_POLICY_DEFAULT and CRYPTO-6-IPSEC_USING_DEFAULT) is a good choice.
And for 3DES: well, it's just not state of the art any more:
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
10-21-2012 05:23 AM
After reading through all answers I think the question is still not answered ...
1) DES can not be blocked by an ACL. The algorithms are negotiated through a communication which is running by default on UDP/500. You should see a corresponding ACE in your outside ACL.
2) If you upgrade your router to a recent IOS (at least 12.4(20)T), then there is no default-policy with DES available any more as the defaults changed.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide