Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
304
Views
1
Helpful
1
Replies

IKEv1 vs IKEv2

Go to solution
bravealikhan
Level 1
Level 1

‎02-23-2025 03:50 PM - edited ‎02-23-2025 04:10 PM

Hi,

In a company where only IKEv2 is configured to form an IPSec tunnel, Pentest Test Tool (Cisco_IKE_Benigncertain scan) gave a positive response on "x.x.x.x:500 IKE Response Leak".

Question1:

in this senario: what will happen when a Responder Router recevie a SA-Proposal of IKEv1? 

my understanding is: since IKEv1 is not configured on responder router, IKEv1's proposal will be rejcted and router will send an ICMP unreachable message back to IKEv1 Requester on UDP port 500.

Cisco_IKE_Benigncertain scan: is False Positive.

Question2:

Is there any Cisco newer IOS version which doesn't support IKEv1 / ISAKMP completely? or the config of IKEv1 remains in the IOS but it is up to use Crypto ISAKMP or Crypto IKEv2 on newer IOS ?

 

Thank you

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎02-24-2025 12:14 AM

Hello @bravealikhan 

If the responder router is configured only with IKEv2, it will reject or ignore any IKEv1 SA proposals it receives. Since IKEv1 is not configured, the router will not negotiate an IKev1 tunnel. However, the routeur may respond with a notification message or simply ignore the request, depending on the platform... The router will not necessarily send an ICMP unreachable message, because UDP port 500 is still open for IKEv2 communication. Instead, it may just reject the IKEv1 proposal and close the session.

Cisco has not completely removed IKEv1 support from standard IOS versions, but in IOS XE and IOS XR, IKEv2 is the preferred protocol, and IKEv1 is disabled by default unless explicitly configured. Certain modern Cisco platforms have completely removed IKEv1 support, requiring the use of IKEv2.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

1 Reply 1

Go to solution
M02@rt37
VIP
VIP

‎02-24-2025 12:14 AM

Hello @bravealikhan 

If the responder router is configured only with IKEv2, it will reject or ignore any IKEv1 SA proposals it receives. Since IKEv1 is not configured, the router will not negotiate an IKev1 tunnel. However, the routeur may respond with a notification message or simply ignore the request, depending on the platform... The router will not necessarily send an ICMP unreachable message, because UDP port 500 is still open for IKEv2 communication. Instead, it may just reject the IKEv1 proposal and close the session.

Cisco has not completely removed IKEv1 support from standard IOS versions, but in IOS XE and IOS XR, IKEv2 is the preferred protocol, and IKEv1 is disabled by default unless explicitly configured. Certain modern Cisco platforms have completely removed IKEv1 support, requiring the use of IKEv2.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
Customers Also Viewed These Support Documents