ISAKMP Allows Weak IPsec Encryption Settings (PCI compliance)

Question

I am working on a client's PCI compliance. One of the failing items is:

3.1.5. ISAKMP Allows Weak IPsec Encryption Settings (ipsecweakencryptionsettings)

The solution given is: "Modify the ISAKMP settings to only allow secure encryption algorithms to be negotiated."

Can someone please give something a little more detailed on how I might fix this issue?

OS is SBS2011, with Exchange 2010, IIS 7.5

Are you using your server as a VPN end point? What did you find when you searched for this on Google? What part of what you found didn't you understand. It is important that you expend some effort on your own doing your homework before you ask a question so you can as a question that is actually useful. — Zoredache, Jul 30 '12 at 23:21
Not using the VPN, though it looks like the router's VPN (Ipsec specifically) settings are the issue. Sorry if it looks like I didn't do any homework, but I have been going over a PCI scan failure list as long as my arm for the last 5 hours, researching and resolving items. So ya, I was kinda looking for a few easy answers at the end of the day. Thanks! — Aegyptus, Jul 30 '12 at 23:48
If you are the one running the compliance scan (audit) why are you the one to fix the issue also? — , Jan 21 '15 at 00:08

score 1 · Accepted Answer · answered Jul 30 '12 at 23:42

You fix this by going to the device or server that serves up your VPN tunnel and "[modifying] the ISAKMP settings to only allow secure encryption algorithms to be negotiated." It probably allows weaker encryption options to be used for legacy support, so you turn that off. It's really starting to sound like you're way out of your depth with this client, honestly.

Not that I want to sound like too much of dick or parrot back the question information at you, but it's really as simple as changing the settings on your VPN tunnel to enforce stronger crypto (more modern algorithms and/or longer keylengths). This might even be as simple as disabling support for DES, which is a common standard from many years ago, that's incredibly insecure now.

It doesn't seem like this would would be found on your SBS/Exchange server (though I've seen stranger things), and I'd suggest looking at the routing gear first, in particular, any firewall or edge equipment that might be being used as the connection point for VPN users, where the VPN tunnel would be negotiated.

Its on the router, got it, thats all I needed, thanks! – Aegyptus Jul 30 '12 at 23:44 — Aegyptus, Jul 30 '12 at 23:44

score 1 · Answer 2 · answered Aug 12 '14 at 16:00

Try disabling isakmp aggressive-mode. Aggressive mode is faster than main mode but is less secure since it only passes 3 authentication packets. It is generally recommended to use main mode instead of aggressive mode. If aggressive mode must be used for performance issues, for example, use Public Key Encryption authentication.

score -1 · Answer 3 · edited May 13 '14 at 00:21

-1

Disable DES and MD5

edited May 13 '14 at 00:21

Mark Henderson

68,316
31
175
255

answered May 12 '14 at 23:39

Tim

11

ISAKMP Allows Weak IPsec Encryption Settings (PCI compliance)

3 Answers3