cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
308
Views
5
Helpful
7
Replies
Highlighted
Cisco Employee

Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

We are planning to patch for Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

 

Description

The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Shared key (PSK) authentication. Such a configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.

I saw below the solution for the issue

 

- Disable Aggressive Mode is supported.
- Do not use Pre-Shared key for authentication if it's possible.
- If using Pre-Shared key cannot be avoided, use very strong keys.
- If possible, do not allow VPN connections from any IP addresses.

 

Can we avoid affecting current active users to deploy the solution? I need your suggestion.

Everyone's tags (2)
7 REPLIES 7
Highlighted
VIP Engager

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

Is this report for ASA or for router.

instead of using aggressive mode better use a main mode with complex key with different characters

please do not forget to rate.
Highlighted
Cisco Employee

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

Its for ASA.

Highlighted
VIP Mentor

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

You do not tell us if you are using aggressive mode in your environment.

  • If you don't use it, disable it.
  • If you use it, migrate away from aggressive-mode and disable it then.
Highlighted
Cisco Employee

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

My Question is

Can we avoid affecting current active users to deploy the solution?

Highlighted
VIP Mentor

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

If you use aggressive mode (only you can know that), your users are affected. If you don't use aggressive mode, you can safely implement the needed countermeasures.

Highlighted
VIP Engager

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

@Karsten Iwen  would it not better to moved to main mode as it much better compare to aggressive mode.

 

personally i recommend it to move to ikev2 instead of running ikev1 as ikev1 is gone legacy. 

please do not forget to rate.
Highlighted
VIP Mentor

Re: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

Yes, for sure. Moving to main-mode and/or IKEv2 is the solution. But based on the implemented technologies it's not always that easy. But yes, everyone should have ideally moved away from Aggressive mode better yesterday than later.