Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8897
Views
6
Helpful
7
Replies

Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

booshanm
Cisco Employee
Cisco Employee

‎04-22-2020 12:27 AM - edited ‎04-22-2020 12:30 AM

We are planning to patch for Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key vulnerability.

 

Description

The remote Internet Key Exchange (IKE) version 1 service seems to support Aggressive Mode with Pre-Shared key (PSK) authentication. Such a configuration could allow an attacker to capture and crack the PSK of a VPN gateway and gain unauthorized access to private networks.

I saw below the solution for the issue

 

- Disable Aggressive Mode is supported.
- Do not use Pre-Shared key for authentication if it's possible.
- If using Pre-Shared key cannot be avoided, use very strong keys.
- If possible, do not allow VPN connections from any IP addresses.

 

Can we avoid affecting current active users to deploy the solution? I need your suggestion.

Labels:
0 Helpful
7 Replies 7

Sheraz.Salim
VIP
VIP

‎04-22-2020 01:21 AM

Is this report for ASA or for router.

instead of using aggressive mode better use a main mode with complex key with different characters

please do not forget to rate.
0 Helpful

booshanm
Cisco Employee
Cisco Employee
In response to Sheraz.Salim

‎04-22-2020 01:45 AM

Its for ASA.

0 Helpful

Karsten Iwen
VIP
VIP

‎04-22-2020 02:01 AM

You do not tell us if you are using aggressive mode in your environment.

  • If you don't use it, disable it.
  • If you use it, migrate away from aggressive-mode and disable it then.
0 Helpful

booshanm
Cisco Employee
Cisco Employee
In response to Karsten Iwen

‎04-22-2020 02:09 AM

My Question is

Can we avoid affecting current active users to deploy the solution?

0 Helpful

Karsten Iwen
VIP
VIP
In response to booshanm

‎04-22-2020 02:14 AM

If you use aggressive mode (only you can know that), your users are affected. If you don't use aggressive mode, you can safely implement the needed countermeasures.

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Karsten Iwen

‎04-22-2020 03:15 AM

@Karsten Iwen  would it not better to moved to main mode as it much better compare to aggressive mode.

 

personally i recommend it to move to ikev2 instead of running ikev1 as ikev1 is gone legacy. 

please do not forget to rate.

Karsten Iwen
VIP
VIP
In response to Sheraz.Salim

‎04-22-2020 03:27 AM

Yes, for sure. Moving to main-mode and/or IKEv2 is the solution. But based on the implemented technologies it's not always that easy. But yes, everyone should have ideally moved away from Aggressive mode better yesterday than later.

0 Helpful
Customers Also Viewed These Support Documents