Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1493
Views
0
Helpful
3
Replies

IKE Scan results against ASA and Concentrator

whiteford
Level 1
Level 1

‎07-29-2008 02:41 AM

Hi,

I have just used a helpful tool over the internet called IKE-Scan from http://www.nta-monitor.com/tools and I get these results back from my ASA and Concentrator, what do they mean? Is this showing what my equipment is advertising and should I be worried?

ASA

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.4

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.4 Main Mode Handshake returned HDR=(CKY-R=aad08e4146225eb3) SA=(En

c=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.109 seconds (9.17 hosts/sec). 1 retur

ned handshake; 0 returned notify

Concentrator

C:\ike-scan-win32-1.9>ike-scan.exe 1.2.3.5

Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

1.2.3.5 Main Mode Handshake returned HDR=(CKY-R=816b07de783cb2d2) SA=(En

c=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) V

ID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)

Ending ike-scan 1.9: 1 hosts scanned in 0.171 seconds (5.85 hosts/sec). 1 retur

ned handshake; 0 returned notify

Labels:
0 Helpful
3 Replies 3

5220
Level 4
Level 4

‎07-30-2008 12:54 AM

Hi,

This is nothing to worry about. I think that by default the VPN devices are replying to ISAKMP request from all Internet devices.

However, you can change that if you enable filtering on the outside interfaces of the devices allowing UDP 500, 10000, 4500 and IP 50 only from legitimate VPN peers.

Please rate if this helped.

Regards,

Daniel

0 Helpful

whiteford
Level 1
Level 1
In response to 5220

‎07-30-2008 01:40 AM

Thanks, I will leave it, but how come it finds c=3DES Hash=SHA1 Group=2:modp1024?

I have that enabled plus AES256, does it just show the first it gets a response from?

0 Helpful

5220
Level 4
Level 4
In response to whiteford

‎07-30-2008 06:17 AM

Hi,

The ISAKMP proposals have a seq number.

The device (ASA/Concentrator) receives the request from that program (the request contains a sequence of proposals that the program builds, in a specific order) and the device answers with the first match, matching all the proposals from the peer with its first ISAKMP seq, then with the second and so on.

Therefore, even if you have the first seq a strong one (AES), if the peer only proposes 3DES, it will match your 3DES configured seq.

Please rate if this helped.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents