The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Cisco Router VPN main mode for client
Posted on 2015-02-14
Our company failed an audit because ike-scan says that we have an open aggressive ike connection visible externally. The auditors proposal is to fix the handshake from aggressive to main mode. The problem is, I'm not sure how to set it up on VPN Client using shrew soft. Is there a way you can advise how to fix and get rid of the problem below?
Something like this:
a.b.c.10 Aggressive Mode Handshake returned HDR=(CKY-R=353da776bbb4b99
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28
800) VID=12f5f28c457168a9702d9f
96fc77570100 (Dead Peer Detection v1.0) VID=c0fa006bbbb5b99678f8a0
=09002689dfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=a
.b.c.10) Nonce(20 bytes) Hash(16 bytes)
a.b.c.77 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=36431b96ca6a9cf
a.b.c.105 Aggressive Mode Handshake returned HDR=(CKY-R=1ecbf70ceb9f629
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28
800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696
r Detection v1.0) VID=12f5f28c457168a9702d9f
1eb9e629b323f3948e404dff2 KeyExchange(128 bytes) ID(Type=ID_FQDN, Value=pix01.
somecompany.com) Nonce(20 bytes) Hash(16 bytes)
a.b.c.130 Unexpected IKE payload returned: Delete Notification=(Type=INVALID
Ending ike-scan 1.9: 256 hosts scanned in 42.905 seconds (5.97 hosts/sec). 2 re
turned handshake; 1 returned notify
Something like this:
a.b.c.10 Aggressive Mode Handshake returned HDR=(CKY-R=353da776bbb4b99
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28
800) VID=12f5f28c457168a9702d9f
96fc77570100 (Dead Peer Detection v1.0) VID=c0fa006bbbb5b99678f8a0
=09002689dfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=a
.b.c.10) Nonce(20 bytes) Hash(16 bytes)
a.b.c.77 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=36431b96ca6a9cf
a.b.c.105 Aggressive Mode Handshake returned HDR=(CKY-R=1ecbf70ceb9f629
SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28
800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696
r Detection v1.0) VID=12f5f28c457168a9702d9f
1eb9e629b323f3948e404dff2 KeyExchange(128 bytes) ID(Type=ID_FQDN, Value=pix01.
somecompany.com) Nonce(20 bytes) Hash(16 bytes)
a.b.c.130 Unexpected IKE payload returned: Delete Notification=(Type=INVALID
Ending ike-scan 1.9: 256 hosts scanned in 42.905 seconds (5.97 hosts/sec). 2 re
turned handshake; 1 returned notify
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
6-
4
11 Comments
Active today
I do not know the settings for your router.
IKE with Preshared Key
Phase 1 DH Group 2
Phase 1 3DES
Phase 1 SHA1
Phase 2 the same
PFS not enabled
Aggressive Mode not enabled (so Main mode is used)
NAT Traversal enabled.
You would have other settings but I checked all client tunnels and Aggressive Mode is not ever enabled.
Perhaps you can match the above to your settings.
IKE with Preshared Key
Phase 1 DH Group 2
Phase 1 3DES
Phase 1 SHA1
Phase 2 the same
PFS not enabled
Aggressive Mode not enabled (so Main mode is used)
NAT Traversal enabled.
You would have other settings but I checked all client tunnels and Aggressive Mode is not ever enabled.
Perhaps you can match the above to your settings.
Active 7 days ago
That's what I have currently:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 10
crypto ipsec transform-set PDBENC esp-3des esp-sha-hmac
Is this good?
crypto isakmp policy 3
encr 3des
authentication pre-share
group 14
lifetime 28800
crypto isakmp keepalive 10
crypto ipsec transform-set PDBENC esp-3des esp-sha-hmac
Is this good?
Active today
Looks comparable to my settings. Make sure Main Mode is set or Aggressive Mode is not checked.
Active today
Also, you may need to use Aggressive Mode with remote software clients. I have to do that because the remote end is not fixed at all. I should think your auditor would understand that.
So site-to-site is all Main Mode and site-to-client is Aggressive Mode for the client software.
So site-to-site is all Main Mode and site-to-client is Aggressive Mode for the client software.
Active 7 days ago
I talked to my auditor. He said there's no security in an aggressive mode. All routers have capability to setup IKEv2 with main mode. Question is, how do we do that on cli?
IKEv2 for Client VPN's is only available with FlexVPN (Anyconnect and G2 ISRs/ASRs) or Cisco ASAs.
What router do you have?
Edit: Just saw you taged it with Cisco 1181 (Assuming you mean 1811). You cannot use FlexVPN on this product. Your next best would be to perhaps move to WebVPN and use SSL, however that too has attack vectors. If you want to get your audit up, you will need to move to a different platform, either that or accept your current standing.
If you want main mode, you have to move to certs instead of PSK.
What router do you have?
Edit: Just saw you taged it with Cisco 1181 (Assuming you mean 1811). You cannot use FlexVPN on this product. Your next best would be to perhaps move to WebVPN and use SSL, however that too has attack vectors. If you want to get your audit up, you will need to move to a different platform, either that or accept your current standing.
If you want main mode, you have to move to certs instead of PSK.
Active today
He said there's no security in an aggressive mode <-- I do not think that is correct at all. Aggressive is needed (I think) on remote access software clients.
Active today
Please read the article below:
http://www.internet-computer-security.com/VPN-Guide/Aggressive-Mode.html
It says that Aggressive Mode is not as secure in Phase 1 communication because that one exchange is in clear text. The resulting tunnel is NOT in clear text or insecure. Only for a split second is there is a lesser security.
It also says Aggressive mode is used for remote application software (which I said above) and when dynamic addressing is used (which I said above).
So the resulting tunnel Main and Aggressive is the same and there is only a split second when one Phase is insecure. IPsec change the security key on an ongoing basis from the key supplied.
I hope this helps.
http://www.internet-computer-security.com/VPN-Guide/Aggressive-Mode.html
It says that Aggressive Mode is not as secure in Phase 1 communication because that one exchange is in clear text. The resulting tunnel is NOT in clear text or insecure. Only for a split second is there is a lesser security.
It also says Aggressive mode is used for remote application software (which I said above) and when dynamic addressing is used (which I said above).
So the resulting tunnel Main and Aggressive is the same and there is only a split second when one Phase is insecure. IPsec change the security key on an ongoing basis from the key supplied.
I hope this helps.
Active 7 days ago
Yeah I looked at it. I can't setup main mode. It doesn't work on my old Cisco router though I manage to increase the encryption to group 14, sha256, and aes256. This way it has the highest form of encryption. I left aggressive running. I tested the Ike tester and now I get different error. I'll ask my auditor what he thinks and go from there. Thanks for your help. I'll update you all on Wednesday.
Active today
I think your auditor is overdoing it. There is no real issue with Aggressive Mode in a dynamic, remote installation. Some hacker would have to sit on the remote site at the split second the user transmits Phase 1. The odds are really tiny.
The encryption I gave you is reasonable. Your increased encryption is probably better but needs more hardware and remote application horsepower to keep up.
I have had Main Mode site to site tunnels up at clients for nearly 15 years (OS and security upgraded along the way) and zero transgressions.
The encryption I gave you is reasonable. Your increased encryption is probably better but needs more hardware and remote application horsepower to keep up.
I have had Main Mode site to site tunnels up at clients for nearly 15 years (OS and security upgraded along the way) and zero transgressions.
Featured Post
Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Tired of waiting for your show or movie to load? Are buffering issues a constant problem with your internet connection? Check this article out to see if these simple adjustments are the solution for you.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely.
Download Secure Shell:
Follow basic installation instructions:
Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month4 days, 23 hours left to enroll
635 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.