Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2. I had a post “Cisco Router IKE v2 Site to Site IPSec VPN Configuration” to quickly show what the difference is between v1 and v2, and how to do v2 configuration. Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.
Symptoms
There is IKE v1 vulnerability found and it lists severity level high.
Based on Cisco documentation,
Cisco IOS Software, IOS-XE Software, and IOS-XR Software contains a vulnerability when processing a specially crafted IP version 4 (IPv4) or IP version 6 (IPv6) packet. This vulnerability can be exploited remotely without authentication and without end-user interaction. Successful exploitation of this vulnerability could allow information disclosure, which enables an attacker to learn information about the affected device and network.
The attack vectors for exploitation are through IPv4 and IPv6 packets using the following protocols and ports:
- IKE using UDP port 500
- GDOI using UDP port 848
- IKE NAT-T using UDP port 4500
- GDOI NAT-T using UDP port 4848
This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2016-6415.
Some Commands to verify ports:
show control-plane host open-ports | i 500
show control-plane host open-ports | i 4500
show control-plane host open-ports | i 848
show control-plane host open-ports | i 4848
sh ip sockets | i 500
sh ip sockets | i 4500
sh ip sockets | i 848
sh ip sockets | i 4848
show udp | i 500
show udp | i 4500
show udp | i 848
show udp | i 4848
router#show run | include crypto map|tunnel protection ipsec|crypto gdoi
router#show ip sock
router#show ip sockets | inc 500
17 –listen– 12.8.12.222 500 0 0 1011 0
17(v6) –listen– FE80::1 500 0 0 20011 0
17 –listen– 12.8.12.222 4500 0 0 1011 0
17(v6) –listen– FE80::1 4500 0 0 20011 0
Solution:
There are more details from Cisco Security Advisory, but basically there is no workaround for it.
“Workarounds
There are no workarounds for this vulnerability.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
Administrators are advised to monitor affected systems.”
Disable IKEv1 will limit the exposure. But if the vpn (ikev1) is mandatory service , adding an access control list on the Internet facing interfaces to block udp 4500 and 500 from all except selected trusted peers. This will lock your IKEv1 session down and not allow unsolicited IKEv1 packet.
interface GigabitEthernet0/0
description Internet
ip address 35.11.11.11 255.255.255.248
ip access-group tACL-Policy in
ip accounting output-packets
ip access-list extended tACL-Policy permit udp host 16.16.13.14 host 35.11.11.11 eq isakmp permit udp host 16.16.13.14 host 35.11.11.11 eq 848 permit udp host 16.16.13.14 host 35.11.11.11 eq non500-isakmp permit udp host 16.16.13.14 host 35.11.11.11 eq 4848 deny udp any host 35.11.11.11 eq isakmp deny udp any host 35.11.11.11 eq 848 deny udp any host 35.11.11.11 eq non500-isakmp deny udp any host 35.11.11.11 eq 4848 permit ip any any
Verify:
We can use ike-scan to verify the configuration. here is the latest 1.9 download link
Source distribution: ike-scan-1.9.tar.gz
Windows binary: ike-scan-win32-1.9.zip
ike-scan is a command-line IPSec VPN Scanner & Testing Tool for discovering, fingerprinting and testing IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the specified hosts, and displays any responses that are received.
Before apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 35.11.11.11 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=70dd9f5de5a9509e) Ending ike-scan 1.9: 1 hosts scanned in 0.052 seconds (19.23 hosts/sec). 0 returned handshake; 1 returned notifyC:\Tools\ike-scan-win32-1.9>After apply the access-list
C:\Tools\ike-scan-win32-1.9>ike-scan.exe --sport=0 35.11.11.11 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.441 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify C:\Tools\ike-scan-win32-1.9>Reference:
- IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products
- Ike-scan Frequently Asked Questions