Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4610
Views
15
Helpful
7
Replies

changing IKE pre-shared key?

baselzind
Level 6
Level 6

‎09-18-2018 02:51 AM

i have an asa with asdm , the customer had a security scan report showing the following vulnerability

"Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode"

THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.

 

the suggested solution is using a stronger pre-shared key

 

1-first is this related to the vpn profile? and if so would changing the pre-shared key to something stronger require me to simply change it on all remote access vpn client?

2-would changing the password back to the original pre-shared password would allow the clients to work back normally with vpn?

3-i dont know the original password , i went to the more system:running-config to get it , is this the line with the password?

"default-group-policy XXX
tunnel-group XXX webvpn-attributes
group-alias XXX enable
tunnel-group XXX ipsec-attributes
ikev1 pre-shared-key password123" <<<<<<<<<<

 

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

‎09-18-2018 02:57 AM

Hi,

It would be more better and more secure if you disabled agressive-mode completely and used main-mode, unless there is a good reason why you must? Even better use IKEv2 which is more secure.

 

Yes, "more system:running-config" displays the current PSK.

 

HTH

baselzind
Level 6
Level 6
In response to Rob Ingram

‎09-18-2018 03:40 AM

can u please guide me how to change it in the GUI and CLI? i think i read somewhere that the mode is automatically chosen?
0 Helpful

shaps
Level 3
Level 3
In response to baselzind

‎09-18-2018 03:52 AM

You should be able to disable it globally using crypto ikev1 am-disable,  this shouldn't impact any current tunnels only new ones that are built.

 

Rob

baselzind
Level 6
Level 6
In response to shaps

‎09-18-2018 04:04 AM

so this command will use main-mode for new tunnels without changing the pre-shared password? and the existing remote vpn will continue working without any config changes on the outside vpn clients pc? also how do i revert back to aggressive mode in case vpn stopped working?
0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎09-18-2018 04:30 AM - edited ‎09-18-2018 04:30 AM

Correct it would use main mode without chaning the PSK, you can still change the PSK. If you still want to change the PSK then use the following from the CLI:-

tunnel-group XXX ipsec-attributes
ikev1 pre-shared-key NEWSTRONGPSK

If you disable agressive mode and want to revert back you'd enter the command "no crypto ikev1 am-disable".

I'd enable the commands on all firewalls and not just the main firewall.

HTH

baselzind
Level 6
Level 6
In response to Rob Ingram

‎09-20-2018 02:09 AM

after disabling the aggressive mode , the remote vpn user couldnt connect , i had to revert it back so they can connect again?!
0 Helpful

shaps
Level 3
Level 3
In response to baselzind

‎09-21-2018 02:44 AM

the pre share key will not change,, if there are any issues with new
tunnel set up you can simply revert the change and re-instate the command

Rob
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents