Blocking IKEv1 traffic to VPN router

Started by config t, July 16, 2020, 07:14:30 AM

Previous topic - Next topic

config t

I have an old 3945 sitting in a DMZ that provides Flex-VPN to remote flyaway kits. These flyaway kits are small PACSTAR enclosures running Cisco IOS.

There is a tasking to block IKEv1 requests to the VPN router but allow IKEv2 and ISAKMP, with he potential that this tasking will also be to do that and block anything except the spoke routers. The problem is these flyaway kits connect to commercial ISP (like a hotel or home router) and assign whatever is given via DHCP to their WAN interface and NAT out through the ISP, so the public IP used to build IKEv2 SAs can and will change.

From what I am finding IKEv1 and IKEv2 uses the same ports/protocols so I'm not sure yet how I can block one without blocking the other. And of course there is the problem with the changing public IPs.

Just wanted to bounce this off you guys to see if anyone has come across a similar scenario or have any ideas.

I do have a FortiGate FW at the boundary so I am also going to explore options there as well
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

They do use the same protocols, IKEv2 adds extra steps...

... you *could* exploit the IKEv1 security flaws to do a MITM attack on all the sessions that sends constant TCP resets, making it useless. :problem?:

If these are going to VPNs that you guys control, I would set the VPN concentrators to only accept IKEv2.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#2
Yeah you need something with DPI smart enough to recognise both (i.e. a real NGFW). NBARv1 probably isn't it. I can't recall whether you can upgrade ISRG2 to NBAR2 (or whether NBAR2 can do it).

I'd raise a TAC case pre-emptively framing it around getting NBAR to recognise it. At least you'll get a definitive answer on your platform and software.

Good chance the forti is capable. There's probably a Forti website where you can look up the DPI match criteria i.e. what apps it can match.

config t

I appreciate the input dean and wintermute

Quote from: deanwebb on July 16, 2020, 12:32:30 PM
If these are going to VPNs that you guys control, I would set the VPN concentrators to only accept IKEv2.

Unfortunately no VPN concentrator. The router sits on a switch connected to the forti DMZ interface. Our VPN footprint right now is very small. I only have three spoke sites landing there and pulling services.

Quote from: wintermute000 on July 17, 2020, 01:57:11 AM
Yeah you need something with DPI smart enough to recognise both (i.e. a real NGFW). NBARv1 probably isn't it. I can't recall whether you can upgrade ISRG2 to NBAR2 (or whether NBAR2 can do it).

I'd raise a TAC case pre-emptively framing it around getting NBAR to recognise it. At least you'll get a definitive answer on your platform and software.

Good chance the forti is capable. There's probably a Forti website where you can look up the DPI match criteria i.e. what apps it can match.


Forti may be the best (only) bet. After I finish a little routing and switching project I'm working on I will dig into their terrible documentation and start turning knobs on the forti to see what I can come up with.
:matrix:

Please don't mistake my experience for intelligence.

config t

I got ahold of a PCAP from the folks running the scans and they claim they were able to successfully form SAs using both IKEv1 and IKEv2.

They must be confused - yes they were able to begin the SA_INIT because we are listening on 0.0.0.0 since our spoke IPs change outside of our control - but they must not have understood the response because it failed every time.

The only weakness I can see here is that the VPN is possibly suceptible to a brute force password attack since there is no retry limit.

I am going to need them to clarify what it is exactly they want. The age old question, "What is the requirement."
:matrix:

Please don't mistake my experience for intelligence.

deanwebb

Yep. Get the specs.

And when you say failed every time, was that for all VPNs, regardless of IKE version?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Do you need to even leave IKEv1 enabled on your router? I am pretty sure you can just tell the router to only use IKEv2. I have not done an IOS IPSec tunnel in a while, but I think you can.

-Otanx

wintermute000

exactly just accept no IKEv1 proposals, the end.

config t

#8
I poked around and turned all the nerd knobs and I can't find any settings related to IKEv1 in the IOS.

Quote from: deanwebb on July 22, 2020, 10:08:35 AM
Yep. Get the specs.

And when you say failed every time, was that for all VPNs, regardless of IKE version?

Upon closer inspection it appears they were able to at least negotiate a proposal for IKEv1 (several, actually). I'm still not convinced they established an SA.

We got a message that this might be in the realm of vendor issue, so it could be off my plate.

What I find facinating about this whole event is that they have some kind of software that throws every IKEv1 and IKEv2 proposal combination possible at the router to see what sticks.
:matrix:

Please don't mistake my experience for intelligence.

Otanx

That software isn't hard. Probably doable in python with the right library. I have one that will attempt SSL handshakes with SSL3 / TLS1.0 / TLS1.1 / TLS1.2, and try each cipher by iteself, and then give me the output of what worked and what didn't. Basically my own SSL labs server test.

-Otanx

Dieselboy

I was going to suggest what otanx said - just turn off ikev1. For that youd need to remove the ikev1 phase 1 and phase 2 stuff.

Depending on how this is running at the moment you could possibly add ikev2 with cert auth. Once every device is cut over from ikev1 to the new ikev2 then the VPN devices wont be able to connect without cert auth. being successful and then you'll have blocked ikev1.  Just throwing it out there.

An easier way would be to have another VPN headend and only configure ikev2 on there and then cut the devices over to the new WAN IP. That way you wont have ikev1 and ikev2 going to the same vpn headend and once the devices have been cut over then you'll have blocked ikev1.

Remember phase 1 just happens. Phase 2 is where the security is at. I'm still a bit hazy on the ikev2 stuff, but this is my ikev2 phase 1:
crypto ikev2 proposal Azure-Prop-IKEv2
encryption aes-cbc-256 aes-cbc-128
integrity sha1 sha256
group 2


Quote from: Otanx on July 28, 2020, 06:05:27 PM
That software isn't hard. Probably doable in python with the right library. I have one that will attempt SSL handshakes with SSL3 / TLS1.0 / TLS1.1 / TLS1.2, and try each cipher by iteself, and then give me the output of what worked and what didn't. Basically my own SSL labs server test.

-Otanx


Nice... have you tried Kali linux from the Windows store? It's a linux distro that has a lot of security tools built in. I'm sure there is one that will do this for you.

config t

Here is the proposal I have configured:
crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha384
group 20


I'm curious if using default group is allowing other attempts.
:matrix:

Please don't mistake my experience for intelligence.