07-17-2013 07:02 AM
Hello All,
I am currently working on a project to remove security vulnerability present in the network due to IKE Aggressive mode. Below is my understanding:
1. In aggressive mode, initiator and responder IDs are sent in clear text, as against main mode and this is the vulnerability we are trying to remove.
2. For Site to Site VPNs we can disable the aggressive mode, but this is not possible to achieve in Client to Site VPNs till we are using PSKs.
I am seeking help on below points based upon my understanding:
1. Validation of my understanding
2. In case we go for certificate based authentication instead of using PSKs, can we disable the aggressive mode and remove the vulnerability. If yes, is it a mandate to have a local CA server installed or can we go for a publicly hosted CA server.
Please advice.
07-17-2013 07:02 AM
Just to add I am using ASA5520.
07-17-2013 11:36 AM
Hi Vikas,
Your understanding is correct. More info on this...
http://www.cisco.com/warp/public/707/cisco-sn-20030422-ike.html
If you go with certificate- yes you can mitigate the issue. Some firms go with practice of frequently changing & longer PSK.
Also, if you have second level authentication ex:RSA for successful authentication, this can be acceptable.
You can go with a local MS CA server-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml
You can as well use a IOS router as CA server.
Hth
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide