Difference between revisions of "Cisco IOS"
(→IVEv2) |
(No difference)
|
Latest revision as of 17:01, 12 November 2013
Contents
- 1 Platform Notes
- 2 Version History
- 3 Backoff Patterns
- 4 Vendor IDs
- 5 Authentication Methods
- 6 ISAKMP SA Lifetime
- 7 Transform Attribute ordering and re-writing
- 8 Aggressive Mode
- 9 Response to Noncompliant and Malformed Packets
- 10 NAT Traversal
- 11 IVEv2
- 12 Remote Access VPN Client
- 13 Other Interesting Behaviour
- 14 Default Configuration
- 15 Discovered Vulnerabilities
Platform Notes
Cisco IOS runs on Cisco routers. It is relatively rare to see IOS used for IPsec; people tend to use PIX or VPN Concentrator instead. However, it can run IPsec providing it has a software feature set that supports it.
Cisco IOS images are available in different feature sets, which determine the features that the image supports. Not all feature sets support IPsec.
For those feature sets that do support IPsec, IKE is also supported, and is enabled by default. It can be disabled with the command no crypto isakmp enable. Unlike Cisco PIX, it is not possible to define which interfaces IKE will respond on - if it is enabled, then it is enabled on all interfaces.
Version History
Version | Release Date | Notes |
---|---|---|
11.2 | Oct 1996 | Cisco CET VPN support added |
11.3 | Dec 1997 | IPsec support added |
12.0 | Sep 1998 | |
12.1 | Apr 2000 | |
12.2 | May 2001 | CET support removed |
12.3 | May 2003 | NAT Traversal and AES Encryption added in 12.2(13)T |
12.4 | May 2005 | ESP SEAL encryption added in 12.3(7)T. Call Admission Control for IKE added in 12.3(8)T |
15.0 | Oct 2009 | |
15.1 | Mar 2010 | IKEv2, IPv6 and Suite B cryptography support added |
15.2 | Jul 2011 |
Release dates are the FCS dates.
CET (Cisco Encryption Technology) was a Cisco proprietary VPN technology that used 40 or 56-bit DES encryption. It was not compatible with IPsec, and was removed after IOS 12.1.
Cisco introduced IPsec with IKE in IOS 11.3.
Backoff Patterns
Cisco IOS has two different backoff patterns depending on the version. Versions 11.3 and 12.0 have the three-packet pattern:
0, 15, 15
Versions 12.1, 12.2, 12.3, 12.4, 15.0 and possibly later versions as well have the six-packet pattern:
0, 10, 10, 10, 10, 10
Here is an example from a Cisco 2503 running IOS 12.0(28c) showing the older three-packet pattern. The 2503 is a slow platform, so we need to specify a long timeout for the initial response. We also specify a retry limit of one to prevent ike-scan sending a retry packet before the 2503 gets round to replying
$ ike-scan --timeout=5000 -r 1 --showbackoff -M 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc9167fd9f8d79) SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) IKE Backoff Patterns: IP Address No. Recv time Delta Time 192.168.124.254 1 1172828749.249778 0.000000 192.168.124.254 2 1172828764.254496 15.004718 192.168.124.254 3 1172828779.258673 15.004177 192.168.124.254 Implementation guess: Cisco IOS 11.3 or 12.0 / PIX <= 6.2
Here is an example from a Cisco 2503 running IOS 12.2(29) showing the newer six-packet pattern:
$ ike-scan -M --showbackoff -r 1 --timeout=5000 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=00921e8986961e8d) SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) IKE Backoff Patterns: IP Address No. Recv time Delta Time 192.168.124.254 1 1172357173.566105 0.000000 192.168.124.254 2 1172357183.564396 9.998291 192.168.124.254 3 1172357193.564495 10.000099 192.168.124.254 4 1172357203.564532 10.000037 192.168.124.254 5 1172357213.564637 10.000105 192.168.124.254 6 1172357223.564747 10.000110 192.168.124.254 Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box
Here is an example from a Cisco 1721 running IOS 12.4(13a), which also has the new six-packet pattern.
$ ike-scan -M --showbackoff 192.168.124.248 Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132bf27d88d9) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) IKE Backoff Patterns: IP Address No. Recv time Delta Time 192.168.124.248 1 1177145540.098512 0.000000 192.168.124.248 2 1177145550.098679 10.000167 192.168.124.248 3 1177145560.098806 10.000127 192.168.124.248 4 1177145570.098935 10.000129 192.168.124.248 5 1177145580.099044 10.000109 192.168.124.248 6 1177145590.099170 10.000126 192.168.124.248 Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box / racoon
Vendor IDs
Cisco IOS does not send any Vendor IDs in the first Main Mode packet, but it does send a Vendor ID in the first Aggressive Mode packet. It is suspected that it sends this same Vendor ID later in the Main Mode exchange, but this has not been proved as ike-scan does not progress past the first IKE packet exchange.
In Aggressive Mode, Cisco IOS returns the following Vendor IDs:
- Cisco Unity (12f5f28c457168a9702d9fe274cc0100) - 12.3 and later
- Dead Peer Detection v1.0 (afcad71368a1f1c96b8696fc77570100) - 12.3 and later
- Cisco IOS VID (data varies, see below)
- XAUTH (09002689dfd6b712) - 12.3 and later
The Cisco IOS VID is a complex VID that is not fully understood. It appears to consist of two parts: the first 8 hex characters (4 bytes) always appear to be the same for a given system. the remaining 24 hex characters (12 bytes) appear to be random. This is detailed further below.
The examples below show the different aggressive mode Vendor ID responses from various versions of Cisco IOS.
IOS 12.1
Here is an aggressive mode response from a Cisco 2621 running IOS 12.1(27b):
$ ike-scan -M -A --trans=5,2,1,2 192.168.124.245 Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.245 Aggressive Mode Handshake returned HDR=(CKY-R=0e58a94521356284) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=fb9f0e5821346284aa844166a7ac1e7d KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.245) Nonce(20 bytes) Hash(20 bytes)
IOS 12.2
Here is an aggressive mode response from a Cisco 2503 running IOS 12.2(29):
$ ike-scan -M -A --trans=1,1,1,1 --dhgroup=1 --timeout=5000 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Aggressive Mode Handshake returned HDR=(CKY-R=70e404e616d03d80) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=8523a3fb16d13d806a4c699b97b80f7c KeyExchange(96 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.254) Nonce(20 bytes) Hash(16 bytes)
The vendor IDs are the same as for the 12.1 example above.
IOS 12.3
Here is an aggressive mode response from a Cisco 2621 running IOS 12.3(22):
$ ike-scan -M -A --trans=1,1,1,1 --dhgroup=1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Aggressive Mode Handshake returned HDR=(CKY-R=929a1c551f4ea24d) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=675dbb481f4fa24d97c4ed4ffb97600d VID=09002689dfd6b712 (XAUTH) KeyExchange(96 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.251) Nonce(20 bytes) Hash(16 bytes)
IOS 12.4
Here is an aggressive mode response from a Cisco 1721 running IOS 12.4(13a)
$ ike-scan -M -A 192.168.124.248 Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.248 Aggressive Mode Handshake returned HDR=(CKY-R=3065132b8f83a56d) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=c5a2b4368f82a56dee59a8d149b94834 VID=09002689dfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.248) Nonce(20 bytes) Hash(16 bytes)
IOS 15.0
Here is an aggressive mode response from a Cisco 7206 running IOS 15.0(1)M
$ ike-scan -A -M --id=xxxxx 192.168.227.150 Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.227.150 Aggressive Mode Handshake returned HDR=(CKY-R=fb0d4ed48b067f10) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=0ecae9c98b077f104bd0a338c2dd3d1d VID=09002689dfd6b712 (XAUTH) KeyExchange(128 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.227.150) Nonce(20 bytes) Hash(20 bytes)
Cisco IOS Vendor ID
Below is a sample of ten IOS Vendor IDs obtained from a Cisco 2503 with address 192.168.124.254 running IOS 12.0(28c), tested from address 192.168.124.7:
d43b367ab647876bd660fe906ade084f d43b367a4364ccae0d21a59f2c4c8397 d43b367aca681207aedf6f7e2ff0465c d43b367aa6bf6e7a664c8753d7cb1a97 d43b367aba95186f42b54a5633a36dd8 d43b367a7f9df7db34c8fd2e2c7e7d1b d43b367a2c20548c0755ae5011d0a3ca d43b367a52e7dbd10cb2457751ee3eb1 d43b367ab4d02aec2ebbedd67cfa7155 d43b367a5f546d13192e5a962330518b
And here are ten vendor IDs from the same router, running the same IOS version, tested from IP address 192.168.124.3:
354b9745bb21c796c449206384743d7e 354b9745d03391e60d59f0758a8348db 354b97454bdee79a490820ac26de60b6 354b9745038eaa34c236453b826f10a4 354b97453a705818f7da13388df04d03 354b974529ea9812f7d3fa907caf77c1 354b974595750413369a32ac7cabe1f5 354b9745a3b1e976581c0208a403152c 354b9745afaa5fd5127722dad70a7534 354b97452694f5b91c7c74aa70d08692
This IOS Vendor ID is also returned by the Cisco PIX.
Authentication Methods
Cisco IOS supports three authentication methods: Pre-Shared Key, RSA Sigature and RSA Encryption. The example below shows these three options on IOS 12.0(28c):
cisco#configure terminal cisco(config)#crypto isakmp policy 10 cisco(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature
If no authentication method is specified, then RSA Signature is the default.
RSA Encryption is a standard authentication method, but it is not often implemented.
Whatever authentication method is configured, if Cisco IOS is not able to authenticate the peer then it will not accept the transform and will return NO-PROPOSAL-CHOSEN. This means that for Pre-Shared Key authentication there needs to be a configuration entry which specifies a key for the IP address that the request will be sent from, for example:
crypto isakmp key abc123 address 192.168.124.7
On later versions of IOS (12.2 for example), it is possible to specify a subnet mask in addition to an address, so you can create a PSK entry that will match any host with:
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
ISAKMP SA Lifetime
Lifetime in Seconds
Cisco IOS 12.3 will accept any lifetime in seconds between 1 and the maximum value that can be represented in 32-bits (0xFFFFFFFF). If no lifetime is specified, it responds with a default lifetime of 0x00015180 (86,400 seconds or 24 hours). If a lifetime of zero is specified, it ignores it and does not include any lifetime in its response.
IOS 12.3 does not accept variable length lifetimes with value lengths other than four bytes (32-bits) even if the value would otherwise be acceptable.
$ ike-scan -M --lifetime=none --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55e9ee2137) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)
$ ike-scan -M --lifetime=0 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55ddbb5a61) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK)
$ ike-scan -M --lifetime=1 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c552df560e7) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=1)
$ ike-scan -M --lifetime=0xffffffff --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c556f8f52be) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0xffffffff)
$ ike-scan -M --lifetime=0x0000000000000001 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55be980d59) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK)
Lifetime in Kilobytes
Cisco IOS 12.3 does not accept any lifetime in kilobytes, whatever the value. It will respond with NO-PROPOSAL-CHOSEN if one is included in the initiator's transform.
$ ike-scan -M --lifetime=none --lifesize=0 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=929a1c5553f116a0)
$ ike-scan -M --lifetime=none --lifesize=1 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=929a1c55b7801079)
$ ike-scan -M --lifetime=none --lifesize=1000 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=929a1c55dde7add6)
Transform Attribute ordering and re-writing
Cisco IOS 12.3 always returns the transform attributes in the order Enc [,key length], Hash, Group, Auth, Lifetime in Seconds irrespective of the order that the initiatior sends the attributes in.
It always includes a lifetime in seconds in its response transform, even if the initiator didn't include on in its transform.
Here are examples from a Cisco 2621 running IOS 12.3(22) that illustrate this behaviour. In the first example, we send the attributes in the order Enc, Hash, Auth, Group, and in the second we use the order Group, Auth, Hash, Enc. In both cases we observe that the Cisco returns the attributes in the order Enc, Hash, Group, Auth, Lifetime in Seconds.
$ ike-scan -M --trans="(1=1,2=1,3=1,4=1)" 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55a67f96de) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)
$ ike-scan -M --trans="(4=1,3=1,2=1,1=1)" 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55ee031f56) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)
Here is an example with a lifetime in seconds included in the initator's transform.
$ ike-scan -M --trans="(11=1,12=123,4=1,3=1,2=1,1=1)" 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55368dce1c) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=123)
Here is an example with a variable length encryption algorithm that includes the key length attribute.
$ ike-scan -M --trans="(14=128,11=1,12=123,4=1,3=1,2=1,1=7)" 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c551c851cf3) SA=(Enc=AES KeyLength=128 Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=123)
Aggressive Mode
Cisco IOS supports aggressive mode by default, but it is possible to disable it with the command crypto isakmp aggressive-mode disable.
Here is an example of an aggressive mode reply from a Cisco 2503 running IOS 12.0(28c). We need to specify a custom transform and Diffie-Hellman group 1 for the key exchange payload for this system.
$ ike-scan -A --timeout=5000 -r 1 --trans=1,1,1,1 --dhgroup=1 -M 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Aggressive Mode Handshake returned HDR=(CKY-R=21fc9167b36b42d4) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=d43b367ab36a42d4f70daed26fc88a68 KeyExchange(96 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.254) Nonce(20 bytes) Hash(16 bytes)
Here is an example of an aggressive mode reply from a Cisco 2503 running IOS 12.2(29).
$ ike-scan -M -A -r 1 --trans=1,2,1,1 --dhgroup=1 --timeout=5000 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Aggressive Mode Handshake returned HDR=(CKY-R=00921e89d7b1f2d1) SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=f555b994d7b0f2d1c9e4f48ed246dd73 KeyExchange(96 bytes) ID(Type=ID_IPV4_ADDR, Value=192.168.124.254) Nonce(20 bytes) Hash(20 bytes)
Response to Noncompliant and Malformed Packets
The responses below are from IOS 12.3(22) unless noted otherwise.
No Acceptable Transforms
$ ike-scan -M --trans=5,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=929a1c55197d4f94)
Bad IKE version
IOS ignores bad IKE versions in the ISAKMP header, and always returns the correct version (0x10) in the ISAKMP header of the response packet.
$ ike-scan -M --headerver=0x30 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c5500036bdc) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
$ ike-scan -M --headerver=0x11 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55e7665ba9) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Invalid DOI
Cisco IOS doesn't respond to the initiator for an invalid DOI.
$ ike-scan -M --doi=2 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
However, it does log the event:
01:57:45: ISAKMP (0:9): processing SA payload. message ID = 0 01:57:45: %CRYPTO-6-IKMP_BAD_DOI_SA: DOI value 2 from SA offer from 192.168.124.7 is invalid
Invalid Situation
$ ike-scan -M --situation=2 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55022890be) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Invalid Initiator Cookie
$ ike-scan -M --cookie=0000000000000000 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c550bf78bdf) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Invalid Flags
Cisco IOS doesn't respond to the initiator for invalid flags. It doesn't log anything either.
$ ike-scan -M --hdrflags=255 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
Invalid Protocol
Cisco IOS doesn't respond to the initiator for invalid protocol. It doesn't log anything either.
$ ike-scan -M --protocol=2 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 0.557 seconds (1.79 hosts/sec). 0 returned handshake; 0 returned notify
Invalid SPI
$ ike-scan -M --spisize=32 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c5582119402) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Non-Zero Reserved Fields
Cisco IOS doesn't respond to the initiator for Non-Zero reserved fields.
$ ike-scan -M --mbz=255 --trans=1,1,1,1 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec). 0 returned handshake; 0 returned notify
However, it does log the event:
03:48:19: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.124.7 failed its sanity check or is malformed
NAT Traversal
NAT traversal support was added in IOS 12.2(13)T. Prior versions don't support NAT Traversal, and will not respond to NAT-T encapsulated requests on UDP port 4500.
IOS Versions 12.3 and later support NAT Traversal by default, and will respond to a NAT Traversal encapsulated IKE request. Here is an example of a NAT Traversal response from a Cisco 2621 running IOS 12.3(22):
$ ike-scan -M --nat-t 192.168.124.251 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c5517d11ec7) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
IVEv2
Cisco IOS does not support IKEv2 as of IOS 15.0.
Remote Access VPN Client
Other Interesting Behaviour
Responder Cookie
The first four bytes (eight hex digits) of the responder cookie from IOS are fixed for a given router, IOS version, and testing IP address. This is similar to Cisco PIX.
The example below illustrates this behaviour on a Cisco 2503 running IOS 12.0(28c):
$ perl -e 'print "192.168.124.254\n" x 5' | ike-scan --interval=5s --timeout=5000 -r 1 --trans=1,1,1,1 -M -f - Starting ike-scan 1.9 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc91675c65d72d) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc91671181409c) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc9167a365f1a1) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc9167d613b809) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.254 Main Mode Handshake returned HDR=(CKY-R=21fc9167f3ea16d0) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Here is another example from a Cisco 2621 running IOS 12.3(22):
$ perl -e 'print "192.168.124.251\n" x 5' | ike-scan --trans=1,1,1,1 -M -f - Starting ike-scan 1.9 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c55863b71e1) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c554b7c5693) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c5517342b76) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c550dbb4ec3) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.251 Main Mode Handshake returned HDR=(CKY-R=929a1c554706389f) SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
Here is an example from a Cisco 1721 running IOS 12.4(13a):
$ perl -e 'print "192.168.124.248\n" x 5' | ike-scan --trans=5,1,1,2 -M -f - Starting ike-scan 1.9.1 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132bbf50c276) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132b8d61eed9) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132b539e7e62) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132bf4849fc0) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) 192.168.124.248 Main Mode Handshake returned HDR=(CKY-R=3065132b905bf774) SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
Default Configuration
IOS has a default IKE Phase-1 policy, which is assigned policy number 65535. This default policy is: Enc=DES, Hash=SHA1, Auth=RSA_Sig, Group=1. The example below shows the default policy on a Cisco 2503 running IOS 12.0(28c) with no explicit policy defined.
cisco#show crypto isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
Generally the user will define an IKE Phase-1 policy with the crypto isakmp policy command line configuration. In the example below, we define an acceptable policy of Enc=DES, Hash=MD5, Auth=PSK, Group=1. Note that any unspecified attributes (in this case Enc and Group) will remain at the default values.
crypto isakmp policy 10 hash md5 authentication pre-share
Each policy is matched in increasing numerical order, with the default policy always being last. After we have added policy number 10, the show crypto isakmp policy command shows:
cisco#show crypto isakmp policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
From IOS 12.4(20)T, any specific isakmp policy will disable the default policy. Prior to this version there was no way to disable or change the default policy.
If we send an unsupported transform of Enc=3DES, Hash=SHA1, Auth=PSK, Group=2 with the following ike-scan command we obtain the IKE debug output shown below, which shows how the Cisco matches against each policy in turn.
$ ike-scan --timeout=5000 -r 1 --trans=5,2,1,2 -M 192.168.124.254 Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/) 192.168.124.254 Notify message 14 (NO-PROPOSAL-CHOSEN) HDR=(CKY-R=21fc9167fa299c4f)
*Mar 1 00:28:24.051: ISAKMP (0): received packet from 192.168.124.7 (N) NEW SA *Mar 1 00:28:24.059: ISAKMP (11): processing SA payload. message ID = 0 *Mar 1 00:28:24.063: ISAKMP (11): Checking ISAKMP transform 1 against priority 10 policy *Mar 1 00:28:24.063: ISAKMP: encryption 3DES-CBC *Mar 1 00:28:24.067: ISAKMP: hash SHA *Mar 1 00:28:24.067: ISAKMP: auth pre-share *Mar 1 00:28:24.067: ISAKMP: default group 2 *Mar 1 00:28:24.071: ISAKMP: life type in seconds *Mar 1 00:28:24.071: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Mar 1 00:28:24.075: ISAKMP (11): atts are not acceptable. Next payload is 0 *Mar 1 00:28:24.075: ISAKMP (11): Checking ISAKMP transform 1 against priority 65535 policy *Mar 1 00:28:24.079: ISAKMP: encryption 3DES-CBC *Mar 1 00:28:24.079: ISAKMP: hash SHA *Mar 1 00:28:24.083: ISAKMP: auth pre-share *Mar 1 00:28:24.083: ISAKMP: default group 2 *Mar 1 00:28:24.083: ISAKMP: life type in seconds *Mar 1 00:28:24.087: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80 *Mar 1 00:28:24.091: ISAKMP (11): atts are not acceptable. Next payload is 0 *Mar 1 00:28:24.091: ISAKMP (11): no offers accepted! *Mar 1 00:28:24.091: ISAKMP (11): SA not acceptable! *Mar 1 00:28:24.095: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 192.168.124.7 *Mar 1 00:28:24.099: ISAKMP (11): sending packet to 192.168.124.7 (R) MM_NO_STATE