cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5565
Views
4
Helpful
7
Replies

ISAKMP Allows Weak IPsec Encryption Settings (ipsec-weak-encryption-settings) ???

rechard_david
Level 1
Level 1

Dear all,

Do you know this issue "ISAKMP Allows Weak IPsec Encryption Settings (ipsec-weak-encryption-settings)"?

How to fix this issue ?

Best Regards,

7 Replies 7

You have probably weak IKE (and IPsec) policies configured. Can you share your config?

Dear Karsten,

this is sample configuration

access-list branch01 extended permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

!
crypto ipsec ikev1 transform-set HQ esp-3des esp-md5-hmac
crypto map Branch 1 match address branch01
crypto map Branch 1 set peer 200.200.200.10
crypto map Branch 1 set ikev1 transform-set HQ
crypto map Branch interface outside

!

crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Although it's not encryption, MD5 and DH group 2 are considered weak nowadays. 3DES is not really weak, but legacy.

Which tool gives you this output? Perhaps there is some more info available what is considered weak.

And you could ask your peer to migrate to AES, SHA1 and  DH5.

Dear Karsten,

For monitor tool i don't know my team used.

could you verify on command as below is it strong or weak?


crypto ipsec transform-set HQ esp-aes esp-aes-256

!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

If not strong please help to recommend.

best Regards,

Your new IKE-Policy is much stronger, but the more secure policies should have the lower policy numbers to make the router prefer them.

The transform-set needs an adjustment as you configured two encryption transforms. Replace the first esp-aes with esp-sha1-hmac.

And make sure that your peer makes the same adjustments as these parameters have to match on both sides.

Dear Karsten,

after i check with my ASA as below:

crypto ipsec transform-set HQ1 esp-aes-256 esp-sha-hmac

do we still using Group 2?

crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

Please help to correct !!

Best Regards,

Well, if that policy is part of your config, the ASA can use DH group2. Ideally, your config should only include policies with strong crypto.