Solved: Re: Block Ikev1 connections

Mmiselo · ‎02-02-2020

Good day ,

We are running ikev1 IPSec tunnel on one of our Cisco routers (1921).

There is some vulnerabilities that have been identified,

Cisco IOS IKEv1 Packet Handling Remote Information Disclosure (cisco-sa-20160916-ikev1) (BENIGNCERTAIN) (uncredentialed check) - CVE-2016-6415

So now we need to allow Ikev1 connections only from know peers and block unknown peers.

May you please assist with the options or ways to block all other peers and allow specific ones, this has to be done locally on the cisco router.

Regards

Nelson

Georg Pauwen · ‎02-03-2020

Hello,

it depends on what you mean by unknown peers, are these dynamic peers on the remote end ? Typically, a crypto keyring and a 'match identity address' in the ISAKMP profile should keep unknown hosts from connecting.

View solution in original post

paul driver · ‎02-03-2020

Hello

Yes it will need to be applied to the interface(s) running ip security

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎02-03-2020

Hello,

it depends on what you mean by unknown peers, are these dynamic peers on the remote end ? Typically, a crypto keyring and a 'match identity address' in the ISAKMP profile should keep unknown hosts from connecting.

Mmiselo · ‎02-03-2020

Good day,

There is no dynamic peers used. We are connecting to specific clients with unique peer IP's. So we want to only allow peer IP from these clients and block all other ikev1 attempts from peer iP's that are not our clients.

paul driver · ‎02-03-2020

Hello

@Mmiselo wrote:

So we want to only allow peer IP from these clients and block all other ikev1 attempts from peer iP's that are not our clients.

Sounds like a access-list would perfrom this requirement, the one below just sounds you a simple permit/deny acl for isakmp obviously you will need to have a more speific access-list to allow other protocols relating to you current setup -

example:
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq ??
access-list 100 permit udp host 3.3.3.3 host 2.2.2.2 eq isakmp
access-list 100 permit udp host 3.3.3.3 host 2.2.2.2 eq ??
access-list 100 deny udp any any eq isakmp
access-list 100 deny udp any any eq ??
access-list 100 permit ip any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mmiselo · ‎02-03-2020

Hello Paul,

Thanks for the response!

Do I need to attach the acl to the interface as an access-group or I add it as it is?

paul driver · ‎02-03-2020

Hello

Yes it will need to be applied to the interface(s) running ip security

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎02-03-2020

Hello,

not sure if you have seen the document linked below yet...

https://www.cisco.com/c/en/us/about/security-center/identify-mitigate-exploit-ikev1-info-disclosure-vuln.html

Mmiselo · ‎02-03-2020

Thanks Georg,

I will go through the doc and advise.