02-02-2020 11:24 PM
Good day ,
We are running ikev1 IPSec tunnel on one of our Cisco routers (1921).
There is some vulnerabilities that have been identified,
Cisco IOS IKEv1 Packet Handling Remote Information Disclosure (cisco-sa-20160916-ikev1) (BENIGNCERTAIN) (uncredentialed check) - CVE-2016-6415
So now we need to allow Ikev1 connections only from know peers and block unknown peers.
May you please assist with the options or ways to block all other peers and allow specific ones, this has to be done locally on the cisco router.
Regards
Nelson
Solved! Go to Solution.
02-03-2020 12:18 AM
Hello,
it depends on what you mean by unknown peers, are these dynamic peers on the remote end ? Typically, a crypto keyring and a 'match identity address' in the ISAKMP profile should keep unknown hosts from connecting.
02-03-2020 06:15 AM
Hello
Yes it will need to be applied to the interface(s) running ip security
02-03-2020 12:18 AM
Hello,
it depends on what you mean by unknown peers, are these dynamic peers on the remote end ? Typically, a crypto keyring and a 'match identity address' in the ISAKMP profile should keep unknown hosts from connecting.
02-03-2020 12:32 AM
Good day,
There is no dynamic peers used. We are connecting to specific clients with unique peer IP's. So we want to only allow peer IP from these clients and block all other ikev1 attempts from peer iP's that are not our clients.
02-03-2020 12:49 AM - edited 02-03-2020 06:13 AM
Hello
@Mmiselo wrote:
So we want to only allow peer IP from these clients and block all other ikev1 attempts from peer iP's that are not our clients.
Sounds like a access-list would perfrom this requirement, the one below just sounds you a simple permit/deny acl for isakmp obviously you will need to have a more speific access-list to allow other protocols relating to you current setup -
example:
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq ??
access-list 100 permit udp host 3.3.3.3 host 2.2.2.2 eq isakmp
access-list 100 permit udp host 3.3.3.3 host 2.2.2.2 eq ??
access-list 100 deny udp any any eq isakmp
access-list 100 deny udp any any eq ??
access-list 100 permit ip any any
02-03-2020 05:56 AM
Hello Paul,
Thanks for the response!
Do I need to attach the acl to the interface as an access-group or I add it as it is?
02-03-2020 06:15 AM
Hello
Yes it will need to be applied to the interface(s) running ip security
02-03-2020 01:11 AM
Hello,
not sure if you have seen the document linked below yet...
02-03-2020 05:59 AM
Thanks Georg,
I will go through the doc and advise.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide