01-06-2017 12:05 AM
Hi,
I have router configuration as below.
During vulnerability scanning, it was flagged out with finding as "Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key". Recommendation is to disable Aggressive Mode.
From link below, I noticed that I can disable Aggressive mode with "crypto isakmp aggressive-mode disable" command.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.pdf
Is this what I need to do in order to address the VA finding?
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto ipsec security-association lifetime kilobytes 10000
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto isakmp key ABC$123#99 address 10.10.10.1
crypto map SITEA-to-SITEB-VPN 20 ipsec-isakmp
set peer 10.10.10.1
set transform-set aes
match address 120
interface FastEthernet0/0
ip address 198.10.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
duplex full
speed 100
crypto map SITEA-to-SITEB-VPN
access-list 120 permit ip 192.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 120 permit ip 10.1.1.0 0.0.0.255 192.1.1.0 0.0.0.255
Solved! Go to Solution.
01-06-2017 12:52 AM
If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.
01-06-2017 12:52 AM
If that's the full IPsec-config and there is no other stuff like EzVPN-Server used, then you can disable it with that command.
01-11-2017 02:50 AM
Hi,
Just manage to test the statement, work like a charm.
01-18-2017 05:21 PM
Add On:
After disable Aggressive Mode, there will be a lot of message in router log, eg
Can use log discriminator to filter out the log.
1) Configure a discriminator:
logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED
2) Apply it to logging buffer:
logging buffered discriminator IKMP-AG 4096
Reference: http://asame2.blogspot.sg/2015/12/crypto-5-ikmpagmodedisabled-unable-to.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide