In Raxis penetration tests, we often discover IKE VPNs that allow Aggressive Mode handshakes, even though this vulnerability was identified more than 16 years ago in 2002.In this post we’ll look at why Aggressive Mode continues to be a vulnerability, how it can be exploited, and how network administrators can mitigate this risk to protect their networks and remediate this finding on their penetration tests.

What is an IKE VPN?

Before we get into the security details, here are a few definitions:

Virtual Private Network (VPN) is a network used to securely connect remote users to a private, internal network.

Internet Protocol Security (IPSec) is a standard protocol used for VPN security.

Security Association (SA ) is a security policy between entities to define communication. This relationship between the entities is represented by a key.

Internet Key Exchange (IKE) is an automatic process that negotiates an agreed IPSec Security Association between a remote user and a VPN.

The IKE protocol ensures security for SA communication without the pre-configuration that would otherwise be required. This protocol used by a majority of VPNs including those manufactured by Cisco, Microsoft, Palo Alto, SonicWALL, WatchGuard, and Juniper. The IKE negotiation usually runs on UDP port 500 and can be detected by vulnerability scans.There are two versions of the IKE protocol:

IKEv2 was introduced in 2005 and can only be used with route-based VPNs.

IKEv1 was introduced in 1998 and continues to be used in situations where IKEv2 would not be feasible.

Pre-Shared Keys (PSK)

Many IKE VPNs use a pre-shared key (PSK) for authentication. The same PSK must be configured on every IPSec peer. The peers authenticate by computing and sending a keyed hash of data that includes the PSK. When the receiving peer (the VPN) is able to create the same hash independently using the PSK it has, confirming that the initiator (the client) has the same PSK, it authenticates the initiating peer.

While PSKs are easy to configure, every peer must have the same PSK, weakening security.

VPNs often offer other options that increase security but also increase the difficulty of client configuration.

RSA signatures are more secure because they use a Certificate Authority (CA) to generate a unique digital certificate. These certificates are used much like PSKs, but the peers’ RSA signatures are unique.

RSA encryption uses public and private keys on all peers so that each side of the transaction can deny the exchange if the encryption does not match.

Cisco goes into details on these options in their VPN and VPN Technologies article.

Aggressive Mode vs. Main Mode

In this post, we are discussing the first phase of IKEv1 transmissions. IKEv1 has two phases:

Establish a secure communications channel. This is initiated by the client, and the VPN responds to the method the client requested based on the methods its configuration allows. Use the previously established channel to encrypt and transport data. All communication at this point is expected to be secure based on the authentication that occurred in the first phase. This phase is referred to as Quick Mode.

There are two methods of key exchange available for use in the first IKEv1 phase:

Main Mode uses a six-way handshake where parameters are exchanged in multiple rounds with encrypted authentication information. Aggressive Mode uses a three-way handshake where the VPN sends the hashed PSK to the client in a single unencrypted message. This is the method usually used for remote access VPNs or in situations where both peers have dynamic external IP addresses.

The vulnerability we discuss in this article applies to weaknesses in Aggressive Mode. While Aggressive Mode is faster than Main Mode, it is less secure because it reveals the unencrypted authentication hash (the PSK). Aggressive Mode is used more often because Main Mode has the added complexity of requiring clients connecting to the VPN to have static IP addresses or to have certificates installed.

Exploiting Aggressive Mode