09-18-2018 02:51 AM
i have an asa with asdm , the customer had a security scan report showing the following vulnerability
"Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode"
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
the suggested solution is using a stronger pre-shared key
1-first is this related to the vpn profile? and if so would changing the pre-shared key to something stronger require me to simply change it on all remote access vpn client?
2-would changing the password back to the original pre-shared password would allow the clients to work back normally with vpn?
3-i dont know the original password , i went to the more system:running-config to get it , is this the line with the password?
"default-group-policy XXX
tunnel-group XXX webvpn-attributes
group-alias XXX enable
tunnel-group XXX ipsec-attributes
ikev1 pre-shared-key password123" <<<<<<<<<<
09-18-2018 02:57 AM
Hi,
It would be more better and more secure if you disabled agressive-mode completely and used main-mode, unless there is a good reason why you must? Even better use IKEv2 which is more secure.
Yes, "more system:running-config" displays the current PSK.
HTH
09-18-2018 03:40 AM
09-18-2018 03:52 AM
You should be able to disable it globally using crypto ikev1 am-disable, this shouldn't impact any current tunnels only new ones that are built.
Rob
09-18-2018 04:04 AM
09-18-2018 04:30 AM - edited 09-18-2018 04:30 AM
Correct it would use main mode without chaning the PSK, you can still change the PSK. If you still want to change the PSK then use the following from the CLI:-
tunnel-group XXX ipsec-attributes
ikev1 pre-shared-key NEWSTRONGPSK
If you disable agressive mode and want to revert back you'd enter the command "no crypto ikev1 am-disable".
I'd enable the commands on all firewalls and not just the main firewall.
HTH
09-20-2018 02:09 AM
09-21-2018 02:44 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide