Our company failed an audit because ike-scan says that we have an open aggressive ike connection visible externally. The auditors proposal is to fix the handshake from aggressive to main mode. The problem is, I'm not sure how to set it up on VPN Client using shrew soft. Is there a way you can advise how to fix and get rid of the problem below?
IKE with Preshared Key
Phase 1 DH Group 2
Phase 1 3DES
Phase 1 SHA1
Phase 2 the same
PFS not enabled
Aggressive Mode not enabled (so Main mode is used)
NAT Traversal enabled.
You would have other settings but I checked all client tunnels and Aggressive Mode is not ever enabled.
90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!
Also, you may need to use Aggressive Mode with remote software clients. I have to do that because the remote end is not fixed at all. I should think your auditor would understand that.
So site-to-site is all Main Mode and site-to-client is Aggressive Mode for the client software.
I talked to my auditor. He said there's no security in an aggressive mode. All routers have capability to setup IKEv2 with main mode. Question is, how do we do that on cli?
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
IKEv2 for Client VPN's is only available with FlexVPN (Anyconnect and G2 ISRs/ASRs) or Cisco ASAs.
What router do you have?
Edit: Just saw you taged it with Cisco 1181 (Assuming you mean 1811). You cannot use FlexVPN on this product. Your next best would be to perhaps move to WebVPN and use SSL, however that too has attack vectors. If you want to get your audit up, you will need to move to a different platform, either that or accept your current standing.
If you want main mode, you have to move to certs instead of PSK.
He said there's no security in an aggressive mode <-- I do not think that is correct at all. Aggressive is needed (I think) on remote access software clients.
It says that Aggressive Mode is not as secure in Phase 1 communication because that one exchange is in clear text. The resulting tunnel is NOT in clear text or insecure. Only for a split second is there is a lesser security.
It also says Aggressive mode is used for remote application software (which I said above) and when dynamic addressing is used (which I said above).
So the resulting tunnel Main and Aggressive is the same and there is only a split second when one Phase is insecure. IPsec change the security key on an ongoing basis from the key supplied.
Yeah I looked at it. I can't setup main mode. It doesn't work on my old Cisco router though I manage to increase the encryption to group 14, sha256, and aes256. This way it has the highest form of encryption. I left aggressive running. I tested the Ike tester and now I get different error. I'll ask my auditor what he thinks and go from there. Thanks for your help. I'll update you all on Wednesday.
I think your auditor is overdoing it. There is no real issue with Aggressive Mode in a dynamic, remote installation. Some hacker would have to sit on the remote site at the split second the user transmits Phase 1. The odds are really tiny.
The encryption I gave you is reasonable. Your increased encryption is probably better but needs more hardware and remote application horsepower to keep up.
I have had Main Mode site to site tunnels up at clients for nearly 15 years (OS and security upgraded along the way) and zero transgressions.
0
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.