Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2. I had a post “Cisco Router IKE v2 Site to Site IPSec VPN Configuration” to quickly show what the difference is between v1 and v2, and how to do v2 configuration. Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.
There is IKE v1 vulnerability found and it lists severity level high.
Based on Cisco documentation,
Cisco IOS Software, IOS-XE Software, and IOS-XR Software contains a vulnerability when processing a specially crafted IP version 4 (IPv4) or IP version 6 (IPv6) packet. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability could allow information disclosure, which enables an attacker to learn information about the affected device and network.
The attack vectors for exploitation are through IPv4 and IPv6 packets using the following protocols and ports:
- IKE using UDP port 500
- GDOI using UDP port 848
- IKE NAT-T using UDP port 4500
- GDOI NAT-T using UDP port 4848
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2016-6415.
Some Commands to verify ports:
show control-plane host open-ports | i 500
show control-plane host open-ports | i 4500
show control-plane host open-ports | i 848
show control-plane host open-ports | i 4848
sh ip sockets | i 500
sh ip sockets | i 4500
sh ip sockets | i 848
sh ip sockets | i 4848
show udp | i 500
show udp | i 4500
show udp | i 848
show udp | i 4848
router#show run | include crypto map|tunnel protection ipsec|crypto gdoi
router#show ip sock
router#show ip sockets | inc 500
17 –listen– 22.214.171.124 500 0 0 1011 0
17(v6) –listen– FE80::1 500 0 0 20011 0
17 –listen– 126.96.36.199 4500 0 0 1011 0
17(v6) –listen– FE80::1 4500 0 0 20011 0
There are more details from Cisco Security Advisory, but basically there is no workaround for it.
There are no workarounds for this vulnerability.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.”
Disable IKEv1 will limit the exposure. But if the vpn (ikev1) is mandatory service , adding an access control list on the Internet facing interfaces to block udp 4500 and 500 from all except selected trusted peers. This will lock your IKEv1 session down and not allow unsolicited IKEv1 packet.
interface GigabitEthernet0/0 description Internet ip address 188.8.131.52 255.255.255.248 ip access-group tACL-Policy in ip accounting output-packets
ip access-list extended tACL-Policy permit udp host 184.108.40.206 host 220.127.116.11 eq isakmp permit udp host 18.104.22.168 host 22.214.171.124 eq 848 permit udp host 126.96.36.199 host 188.8.131.52 eq non500-isakmp permit udp host 184.108.40.206 host 220.127.116.11 eq 4848 deny udp any host 18.104.22.168 eq isakmp deny udp any host 22.214.171.124 eq 848 deny udp any host 126.96.36.199 eq non500-isakmp deny udp any host 188.8.131.52 eq 4848 permit ip any any
We can use ike-scan to verify the configuration. here is the latest 1.9 download link
ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
Before apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 184.108.40.206 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 220.127.116.11 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=70dd9f5de5a9509e) Ending ike-scan 1.9: 1 hosts scanned in 0.052 seconds (19.23 hosts/sec). 0 returned handshake; 1 returned notifyC:\Tools\ike-scan-win32-1.9>
After apply the access-listC:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 18.104.22.168 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify C:\Tools\ike-scan-win32-1.9>