What is ISAKMP and do I need it?

After running a vulnerability scan on my Cisco 1921 router (IOS device) I got the following message back:

ISAKMP Allows Weak IPsec Encryption Settings

Apparently this service uses UDP on port 500. Can anyone tell me what it's for, why I need it or if I need it?

Additionally, if I do need it how do I change the setting to set strong encryption? If I don't need it how do I disable it?

I'm still fairly green when it comes to configuring a Cisco router so please pretend I'm dumb (not much of a stretch really).
LVL 21
Russ SuterAsked:
Who is Participating?
Adam BrownSr Solutions ArchitectCommented:
ISAKMP is a key management and exchange protocol. It's used to allow devices to exchange key information for encryption. Using it isn't the problem. The problem is that your configuration is allowing weak keys to be generated and used through ISAKMP. http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.pdf should give you a good overview of ISAKMP. There's a section devoted to ISAKMP configuration you'll want to look at particularly. I'm not a Cisco guy, so I can't give you specific instructions, but you'll want to make sure that your devices are configured so that DES is not allowed. Cisco devices use 3DES by default, so this isn't a huge problem (DES was cracked 16 years ago, 3DES is still marginally secure. Use AES if you can).
its for key exchange when setting up IPSEC VPN.  So if you use VPN on that router, then yes you need it.  If you dont, then you can probably disable.

This vulnerability shows up a lot on scanners - and it is usually a false positive.  see my answer to this question for an explanation:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.