Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2. I had a post “Cisco Router IKE v2 Site to Site IPSec VPN Configuration” to quickly show what the difference is between v1 and v2, and how to do v2 configuration. Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.
There is IKE v1 vulnerability found and it lists severity level high.
Based on Cisco documentation,
Cisco IOS Software, IOS-XE Software, and IOS-XR Software contains a vulnerability when processing a specially crafted IP version 4 (IPv4) or IP version 6 (IPv6) packet. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability could allow information disclosure, which enables an attacker to learn information about the affected device and network.
The attack vectors for exploitation are through IPv4 and IPv6 packets using the following protocols and ports:
- IKE using UDP port 500
- GDOI using UDP port 848
- IKE NAT-T using UDP port 4500
- GDOI NAT-T using UDP port 4848
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2016-6415.
Some Commands to verify ports:
show control-plane host open-ports | i 500
show control-plane host open-ports | i 4500
show control-plane host open-ports | i 848
show control-plane host open-ports | i 4848
sh ip sockets | i 500
sh ip sockets | i 4500
sh ip sockets | i 848
sh ip sockets | i 4848
show udp | i 500
show udp | i 4500
show udp | i 848
show udp | i 4848
router#show run | include crypto map|tunnel protection ipsec|crypto gdoi
router#show ip sock
router#show ip sockets | inc 500
17 –listen– 184.108.40.206 500 0 0 1011 0
17(v6) –listen– FE80::1 500 0 0 20011 0
17 –listen– 220.127.116.11 4500 0 0 1011 0
17(v6) –listen– FE80::1 4500 0 0 20011 0
There are more details from Cisco Security Advisory, but basically there is no workaround for it.
There are no workarounds for this vulnerability.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.”
Disable IKEv1 will limit the exposure. But if the vpn (ikev1) is mandatory service , adding an access control list on the Internet facing interfaces to block udp 4500 and 500 from all except selected trusted peers. This will lock your IKEv1 session down and not allow unsolicited IKEv1 packet.
interface GigabitEthernet0/0 description Internet ip address 18.104.22.168 255.255.255.248 ip access-group tACL-Policy in ip accounting output-packets
ip access-list extended tACL-Policy permit udp host 22.214.171.124 host 126.96.36.199 eq isakmp permit udp host 188.8.131.52 host 184.108.40.206 eq 848 permit udp host 220.127.116.11 host 18.104.22.168 eq non500-isakmp permit udp host 22.214.171.124 host 126.96.36.199 eq 4848 deny udp any host 188.8.131.52 eq isakmp deny udp any host 184.108.40.206 eq 848 deny udp any host 220.127.116.11 eq non500-isakmp deny udp any host 18.104.22.168 eq 4848 permit ip any any
We can use ike-scan to verify the configuration. here is the latest 1.9 download link
ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
Before apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 22.214.171.124 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 126.96.36.199 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=70dd9f5de5a9509e) Ending ike-scan 1.9: 1 hosts scanned in 0.052 seconds (19.23 hosts/sec). 0 returned handshake; 1 returned notifyC:\Tools\ike-scan-win32-1.9>
After apply the access-listC:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 188.8.131.52 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify C:\Tools\ike-scan-win32-1.9>