PCI Compliance - ISAKMP Allows Weak IPsec Encryption

Posted on 2012-08-16
Last Modified: 2012-08-23
Experts, I need your help passing a PCI scan. The report keeps showing failed with the following vulnerability:

The ISAKMP endpoint allows short key lengths or insecure encryption algorithms to be negotiated. This could allow remote attackers to compromise the confidentiality and integrity of the data by decrypting and modifying individual ESP or AH packets.

We use UDP 500 for a site-to-site VPN between a SonicWall NSA 2400 and SonicWall TZ210

Auth meth: IKEv1 with 140bit pre-shared key. Phase 1 proposal is set to main mode, DH group 14, AES-256, SHA1. Phase 2 is ESP/AES256/SHA1

I keep thinking the SNWL might be set to allow DES, but I can't find a way to disable it. Also, it could be there is no real minimum setting for the pre-shared key that I can see.

The only thing I haven't tried is going to IKEv2, but I'm hesitating because I don't want to rebuilt the other VPN tunnels in my hub-and-spoke. I had a vendor tell me that IKEv1 would stop working for all of them once I switched.

Thanks for your help!
Question by:agwarren
    LVL 7

    Expert Comment

    To check if your router allows DES:

    1. Log in to the management GUI
    2. Click on the ‘VPN’ button on the left side, and then click on the ‘Configure’ tab along the top.
    3. From the ‘Security Association’ drop-down box, choose your SA
    4. From the ‘Phase 1 Encryption/Authentication’ drop-down box, choose “3DES & MD5”.
    5. From the ‘Phase 2 Encryption/Authentication’ drop-down box, choose “Strong Encrypt and
    Authenticate (ESP 3DES HMAC MD5)”
    LVL 7

    Expert Comment

    Also, what tool was used to report this finding?  I can look up more information on the vulnerability if I know what tool it came from

    Author Comment

    I should have specified my router is running SonicOS Enhanced 5.8

    I don't see the Configure tab under the VPN button. The VPN Settings lists the current policies (probably what was called Security Associations) that I can choose to edit, or create a new policy. The edit box has a 'Proposals' tab where I can choose the Encryption/Authentication methods, and DES/3DES/AES are all options in the drop-down box.

    The tool used was by Aperia Solutions. The full report doesn't give much more detail.
    LVL 7

    Accepted Solution

    Ok, my recommendation is to document this as a false finding and document mitigating controls in place, here's why.

    This finding is based on a vulnerability scanner attempting to eatablish an SA with your device.  During the handshake your sonicwall reports that it allows DES/3DES and AES.  Thats it.  So since DES is included, it marks it as a fidning.

    What is missing though is that to establish the SA, both sides have to agree on algorithms which the vuln scanner did not do.  YOUR VPN tunnel does agree on an algorithm, and since they are both configured to allow something better than DES (3DES or AES) they are going to default to that.

    The vulnerability scanner is not capable of confirming this, because they do not have authorization to establish a full SA with your devices.

    See this article:

    PCI rules say nothing in writing about ISAKMP or the use of DES, so to say this is a "PCI finding" is false, it is more just best practice.  See rule 4.1 on page 15 in this document:

    Author Closing Comment

    Thanks for the research and recommendation, southpau1. We submitted the exception report and are awaiting a response from the ASV.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now