I have the same issue and I - Page 2

whiteford · ‎09-17-2007

Our vulnerability scanner (Qualys) has come back with this vulnerability against our Cisco 837 DSL router VPN that connects to a Cisco Concentrator. Is my Pre-shared key too short - 8 characters?

Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode port 500/udp

THREAT:

IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

IMPACT:

Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.

SOLUTION:

IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.

Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.

Steven Williams · ‎02-10-2015

Looking for an update on this as I have the same issue.

Richard Burts · ‎02-10-2015

The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?

The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.

HTH

Rick

HTH

Rick

Steven Williams · ‎02-24-2015

These are Site to Site VPNs using ASA 5505's terminating to ASA 5525-X series firewalls. The key like 8-10 characters and we DO NOT change them on a regular basis, that would be a nightmare.

How and where do you find out in an ASA if its aggressive or main mode?

Richard Burts · ‎02-24-2015

There are several ways that you can check on the mode used (main or aggressive). Probably the easiest is to use ASDM. Choose the options to Monitor-> VPN -> VPN statistics -> Sessions and then specify l2l which will display the various Lan to Lan VPNs. Click on one of them and then click Details. In the output will be an indication of the mode used.

HTH

Rick

HTH

Rick

sistematico · ‎08-05-2016

I have the same issue and I fixed it by disable the aggresive mode inbound with the command crypto ikev1 am-disable on any cisco ASA platform will work..

Richard Burts · ‎08-05-2016

That is good to know. Thank you for posting it to this discussion.

HTH

Rick

HTH

Rick