Controller Based WLANs

How to avoid aggressive mode to be detected in the penetration testing

by on ‎07-03-2014 01:59 PM

 

Master-Local/master-Standby setup builds IPSEC tunnel for the communication between them. By default it uses IKEv1 and aggressive mode as the first exchange. Detection of aggressive mode is considered as security flaw in the penetration testing. In order to avoid it we can delete the below statement from the controller.

 

rtaImage.png

 

If IKE default shared key is defined pen test detects aggressive mode.( Advance Services >> VPN Services >> IPSEC >> IKE Shared Secret )

While running a pen test which is available on the web

With Key
 
[root@localhost ike-scan-1.9]# ike-scan -A 10.17.32.248
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
10.17.32.248    Aggressive Mode Handshake returned HDR=(CKY-R=b2864bc1d8e9742d) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080) VID=4485152d18b6bbcd0be8a8469579ddcc (draft-ietf-ipsec-nat-t-ike-00) VID=90cb80913ebb696e086381b5ec427b1f (draft-ietf-ipsec-nat-t-ike-02\n) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) KeyExchange(128 bytes) Nonce(20 bytes) ID(Type=ID_IPV4_ADDR, Value=10.17.32.248) Hash(20 bytes)
 
Ending ike-scan 1.9: 1 hosts scanned in 0.196 seconds (5.11 hosts/sec).  1 returned handshake; 0 returned notify
 
 
Without key
 
[root@localhost ike-scan-1.9]# ike-scan -A 10.17.32.248
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
 
Ending ike-scan 1.9: 1 hosts scanned in 2.439 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify
[root@localhost ike-scan-1.9]#

Comments
pgemme

Is there any chance that VIA uses this shared secret? I've removed this line, passed our security team scan, and now I'm struggling with my Mac VIA client immediately disconnecting.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.