500 | udp | ISAKMP Allows Weak IPsec Encryption Settings | Fail | High |
500 | udp | A running service was discovered | Pass | Low |
PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.
Any input would be much appreciated. Here is the config
!
!
! ADTRAN, Inc. OS version 18.02.05.00.E
! Boot ROM version
! Platform: NetVanta 1335 PoE, part number 1700525E2
! Serial number XXXXXXXXXXX
!
!
hostname "Switch"
enable password md5 encrypted 5f0851074d9924fcd2635b4e231bdc12
!
clock timezone -8
!
ip subnet-zero
ip classless
ip routing
!
!
ip domain-name "XXXXXXX"
no ip domain-lookup
ip name-server XXXXXXXXXXXX
!
!
no ip route-cache express
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
service password-encryption
!
ip policy-timeout tcp all-ports 3600
!
ip firewall
ip firewall nat-preserve-source-port record-source-address
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
aaa on
!
!
aaa authentication login LoginUseRadius group radius
aaa authentication login LoginUseLocalUsers local
aaa authentication login LoginUseLinePass line
!
aaa authentication enable default enable
!
aaa authentication port-auth default local
!
!
!
!
no dot11ap access-point-control
!
!
!
!
!
!
!
!
ip crypto
!
crypto ike client configuration pool xxxvpn
ip-range xxxxxxxxxxx xxxxxxxxxxxxxxx
dns-server xxxxxxxxxx xxxxxxxxxxxxx
netbios-name-server xxxxxxxxxxxx xxxxxxxxxxxxx
!
crypto ike policy 100
no initiate
respond main
local-id address xx.xx.xx.xx
peer any
client authentication server list LoginUseLocalUsers
client configuration pool sdnavpn
attribute 1
encryption 3des
authentication pre-share
group 2
!
crypto ike remote-id any preshared-key xxxxxxxxxxx ike-policy 100 crypto map VPN 10 no-xauth
!
crypto ipsec transform-set esp-3des-esp-sha-hmac esp-3des esp-sha-hmac
mode tunnel
!
crypto map VPN 10 ipsec-ike
match address vpnspokes
set transform-set esp-3des-esp-sha-hmac
ike-policy 100
mobile
!
qos map VOIP 10
match dscp 46
priority 1020
!
qos cos-map 1 0 1
qos cos-map 2 2 3
qos cos-map 3 4
qos cos-map 4 5 6 7
qos queue-type wrr 20 20 20 expedite
!
qos dscp-cos 0 8 16 24 32 46 48 56 to 0 1 2 3 4 5 6 7
!
!
!
!
vlan 1
name "Default"
!
vlan 10
name "VLAN0010"
!
vlan 30
name "Call Center"
!
vlan 100
name "Outside "
!
!
interface switchport 0/1
spanning-tree bpdufilter enable
spanning-tree edgeport
no shutdown
switchport access vlan 100
qos trust cos
no lldp send-and-receive
!
interface switchport 0/2
description xxxxxxx
spanning-tree edgeport
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/3
description xxxxxxxx
spanning-tree edgeport
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/4
description xxxxxxx
spanning-tree edgeport
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/5
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/6
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/7
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/8
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/9
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/10
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/11
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/12
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/13
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/14
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/15
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/16
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/17
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/18
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/19
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/20
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/21
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/22
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/23
no shutdown
qos trust cos
no lldp send-and-receive
!
interface switchport 0/24
description Outside Interface
spanning-tree bpdufilter enable
spanning-tree edgeport
no shutdown
switchport access vlan 100
no lldp send-and-receive
!
!
interface gigabit-switchport 0/1
description ShoreTel Soft Switch
no shutdown
qos trust cos
no lldp send-and-receive
!
interface gigabit-switchport 0/2
description 1224 (1) Port 25
no shutdown
qos trust cos
no lldp send-and-receive
!
!
!
interface vlan 1
description INSIDE INTERFACE
ip address xx.xx.xx.xx 255.255.252.0
ip access-policy Private
no ip route-cache express
no shutdown
!
interface vlan 100
ip address xx.xx.xx.xx 255.255.255.252
ip address range xx.xx.xx.xx xx.xx.xx.xx 255.255.255.224 secondary
ip access-policy Public
crypto map VPN
traffic-shape rate 10000000
qos-policy out VOIP
no ip route-cache express
no shutdown
!
!
!
!
!
!
ip access-list extended vpnspokes
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
permit ip 192.168.xx.0 0.0.15.255 192.168.xx.0 0.0.0.255
!
!
ip policy-class Private
allow list vpnspokes stateless
allow list self self
nat source list allowtcp25 interface vlan 100 overload
discard list blocktcp25
nat source list wizard-ics interface vlan 100 overload
!
ip policy-class Public
allow reverse list vpnspokes stateless
!
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
no tftp server
no tftp server overwrite
no ip http server
ip http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
ip sntp server
!
!
!
!
!
!
!
!
!
!
ip sip udp 5060
ip sip tcp 5060
!
!
!
!
!
!
!
!
!
ip sip proxy grammar contact outbound-server-reference host domain
!
!
!
!
!
!
!
!
!
!
line con 0
line-timeout 5
!
line telnet 0 4
password encrypted xxxxxxx
shutdown
line ssh 0 4
login authentication LoginUseLocalUsers
line-timeout 2
no shutdown
!
sntp server 0.us.pool.ntp.org
!
!
!
!
!
!
end
Interesting, because AES-256 IPSec seems to be the go-to standard when you need to meet PCI (or HIPAA or other strict privacy compliance). Are you certain the test was run during the time you had AES 256 in place? Could the report have merely indicated potential risk (given a less-secure configuration), though your AES-256 implementation is not a cause for concern?
CJ
Did you also try changing from preshared-key to 'authentication rsa-sig' for ike and specifying remote-ide to asn1-dn? You will need to set up SSL certificates for this.
PS. If you use OpenSSL to generate them, make sure that it is version 1.0.1g, or that it has been patched for the Heartbleed bug, or that otherwise it is compiled with the heartbeat flag disabled.
We ran the tests while the encryption was set to AES 256 and it didn't make a difference in results. I am not sure what else can I look for?
I don't suppose the firm performing the security audit could tell you what they'd like to see changed or what they consider to be an acceptable configuration?
Hi kts_user,
I'm no PCI expert, but I understand that one of its controls involves unique IDs for each user. In your set up any remote end point could be allowed to connect. Unlike SSL Certificates the preshared key is not a unique authentication method as it is shared by all client machines and potentially users. So, I'm thinking, the PCI Access Control Measure may be flagging this up.
--
Regards,
Mick
There are quite a few remote users connecting to this unit. So I cannot make any changes during the day but I can try changing the "remote-id any" afterhours. Weird thing is that the unit passed the PCI test past 4 years.
kts_user wrote:
500 udp ISAKMP Allows Weak IPsec Encryption Settings Fail High 500 udp A running service was discovered Pass Low PCI Compliance test unit provided following results. We tried changing IKE and IPSec Encryption from 3DES to AES 256, but the results are same. The Netvanta 1335 has 18.02.05.00.E.
Any input would be much appreciated.
I would ask the auditing firm for a more specific reason. Weak IPsec Encryption Settings is a bit vague. AES/SHA or 3DES/SHA should be acceptable. Unless your PSK is something like "password" or they now require certificates I'm not sure what the issue is here.
Hi,
We also have a 1335 and we also have to be PCI compliant.
First of all in our experience PCI Compliance auditing firms are very unprofessional. We had the opposite problem; on one occasion we were being requested to downgrade to a less secure configuration because the auditors would not understand that our configuration was both compliant and superior. In many occasions we have been through a lot of effort to convince them they are wrong. (Not that I recommend that, it might be a bad idea, only sharing my experience).
Now, back to the point, I can confirm we use the same configuration as you, and also have a similar setup to communicate with an external (and PCI compliant) card processor and also a bank. It occurs to me that they might be (mis?)interpreting Requirement 4 (see Testing procedure 4.1.d) to mean you need certificates (it does not specify if they are only for SSL/TLS), and they now have a test for it.
Please share your experience after you solve the issue.
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor