Experts, I need your help passing a PCI scan. The report keeps showing failed with the following vulnerability:
The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets.
We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210
Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1
I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.
The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.
Thanks for your help!