IKE Aggressive mode vulnerability

vikaspurohit1 · ‎07-17-2013

Hello All,

I am currently working on a project to remove security vulnerability present in the network due to IKE Aggressive mode. Below is my understanding:

1. In aggressive mode, initiator and responder IDs are sent in clear text, as against main mode and this is the vulnerability we are trying to remove.

2. For Site to Site VPNs we can disable the aggressive mode, but this is not possible to achieve in Client to Site VPNs till we are using PSKs.

I am seeking help on below points based upon my understanding:

1. Validation of my understanding

2. In case we go for certificate based authentication instead of using PSKs, can we disable the aggressive mode and remove the vulnerability. If yes, is it a mandate to have a local CA server installed or can we go for a publicly hosted CA server.

Please advice.

vikaspurohit1 · ‎07-17-2013

Just to add I am using ASA5520.

mvsheik123 · ‎07-17-2013

Hi Vikas,

Your understanding is correct. More info on this...

http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html

If you go with certificate- yes you can mitigate the issue. Some firms go with practice of frequently changing & longer PSK.

Also, if you have second level authentication ex:RSA for successful authentication, this can be acceptable.

You can go with a local MS CA server-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml

You can as well use a IOS router as CA server.

Hth

MS