Cisco IOS

From royhills
Jump to: navigation, search

Platform Notes

Cisco IOS runs on Cisco routers. It is relatively rare to see IOS used for IPsec; people tend to use PIX or VPN Concentrator instead. However, it can run IPsec providing it has a software feature set that supports it.

Cisco IOS images are available in different feature sets, which determine the features that the image supports. Not all feature sets support IPsec.

For those feature sets that do support IPsec, IKE is also supported, and is enabled by default. It can be disabled with the command no crypto isakmp enable. Unlike Cisco PIX, it is not possible to define which interfaces IKE will respond on - if it is enabled, then it is enabled on all interfaces.

Version History

Version Release Date Notes
11.2 Oct 1996 Cisco CET VPN support added
11.3 Dec 1997 IPsec support added
12.0 Sep 1998
12.1 Apr 2000
12.2 May 2001 CET support removed
12.3 May 2003 NAT Traversal and AES Encryption added in 12.2(13)T
12.4 May 2005 ESP SEAL encryption added in 12.3(7)T. Call Admission Control for IKE added in 12.3(8)T
15.0 Oct 2009
15.1 Mar 2010 IKEv2, IPv6 and Suite B cryptography support added
15.2 Jul 2011

Release dates are the FCS dates.

CET (Cisco Encryption Technology) was a Cisco proprietary VPN technology that used 40 or 56-bit DES encryption. It was not compatible with IPsec, and was removed after IOS 12.1.

Cisco introduced IPsec with IKE in IOS 11.3.

Backoff Patterns

Cisco IOS has two different backoff patterns depending on the version. Versions 11.3 and 12.0 have the three-packet pattern:

0, 15, 15

Versions 12.1, 12.2, 12.3, 12.4, 15.0 and possibly later versions as well have the six-packet pattern:

0, 10, 10, 10, 10, 10

Here is an example from a Cisco 2503 running IOS 12.0(28c) showing the older three-packet pattern. The 2503 is a slow platform, so we need to specify a long timeout for the initial response. We also specify a retry limit of one to prevent ike-scan sending a retry packet before the 2503 gets round to replying

$ ike-scan --timeout=5000 -r 1 --showbackoff -M 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc9167fd9f8d79)
        SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
192.168.124.254 1       1172828749.249778       0.000000
192.168.124.254 2       1172828764.254496       15.004718
192.168.124.254 3       1172828779.258673       15.004177
192.168.124.254 Implementation guess: Cisco IOS 11.3 or 12.0 / PIX <= 6.2

Here is an example from a Cisco 2503 running IOS 12.2(29) showing the newer six-packet pattern:

$ ike-scan -M --showbackoff -r 1 --timeout=5000 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=00921e8986961e8d)
        SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
192.168.124.254 1       1172357173.566105       0.000000
192.168.124.254 2       1172357183.564396       9.998291
192.168.124.254 3       1172357193.564495       10.000099
192.168.124.254 4       1172357203.564532       10.000037
192.168.124.254 5       1172357213.564637       10.000105
192.168.124.254 6       1172357223.564747       10.000110
192.168.124.254 Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box

Here is an example from a Cisco 1721 running IOS 12.4(13a), which also has the new six-packet pattern.

$ ike-scan -M --showbackoff 192.168.124.248
Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132bf27d88d9)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

IKE Backoff Patterns:

IP Address      No.     Recv time               Delta Time
192.168.124.248 1       1177145540.098512       0.000000
192.168.124.248 2       1177145550.098679       10.000167
192.168.124.248 3       1177145560.098806       10.000127
192.168.124.248 4       1177145570.098935       10.000129
192.168.124.248 5       1177145580.099044       10.000109
192.168.124.248 6       1177145590.099170       10.000126
192.168.124.248 Implementation guess: Cisco IOS 12.1, 12.2 or 12.3 / Watchguard Firebox / Gnat Box / racoon

Vendor IDs

Cisco IOS does not send any Vendor IDs in the first Main Mode packet, but it does send a Vendor ID in the first Aggressive Mode packet. It is suspected that it sends this same Vendor ID later in the Main Mode exchange, but this has not been proved as ike-scan does not progress past the first IKE packet exchange.

In Aggressive Mode, Cisco IOS returns the following Vendor IDs:

  • Cisco Unity (12f5f28c457168a9702d9fe274cc0100) - 12.3 and later
  • Dead Peer Detection v1.0 (afcad71368a1f1c96b8696fc77570100) - 12.3 and later
  • Cisco IOS VID (data varies, see below)
  • XAUTH (09002689dfd6b712) - 12.3 and later

The Cisco IOS VID is a complex VID that is not fully understood. It appears to consist of two parts: the first 8 hex characters (4 bytes) always appear to be the same for a given system. the remaining 24 hex characters (12 bytes) appear to be random. This is detailed further below.

The examples below show the different aggressive mode Vendor ID responses from various versions of Cisco IOS.

IOS 12.1

Here is an aggressive mode response from a Cisco 2621 running IOS 12.1(27b):

$ ike-scan -M -A --trans=5,2,1,2 192.168.124.245
Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.245 Aggressive Mode Handshake returned
        HDR=(CKY-R=0e58a94521356284)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=fb9f0e5821346284aa844166a7ac1e7d
        KeyExchange(128 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.245)
        Nonce(20 bytes)
        Hash(20 bytes)

IOS 12.2

Here is an aggressive mode response from a Cisco 2503 running IOS 12.2(29):

$ ike-scan -M -A --trans=1,1,1,1 --dhgroup=1 --timeout=5000 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Aggressive Mode Handshake returned
        HDR=(CKY-R=70e404e616d03d80)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=8523a3fb16d13d806a4c699b97b80f7c
        KeyExchange(96 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.254)
        Nonce(20 bytes)
        Hash(16 bytes)

The vendor IDs are the same as for the 12.1 example above.

IOS 12.3

Here is an aggressive mode response from a Cisco 2621 running IOS 12.3(22):

$ ike-scan -M -A --trans=1,1,1,1 --dhgroup=1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Aggressive Mode Handshake returned
        HDR=(CKY-R=929a1c551f4ea24d)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=675dbb481f4fa24d97c4ed4ffb97600d
        VID=09002689dfd6b712 (XAUTH)
        KeyExchange(96 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.251)
        Nonce(20 bytes)
        Hash(16 bytes)

IOS 12.4

Here is an aggressive mode response from a Cisco 1721 running IOS 12.4(13a)

$ ike-scan -M -A 192.168.124.248
Starting ike-scan 1.9.1 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.248 Aggressive Mode Handshake returned
        HDR=(CKY-R=3065132b8f83a56d)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=c5a2b4368f82a56dee59a8d149b94834
        VID=09002689dfd6b712 (XAUTH)
        KeyExchange(128 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.248)
        Nonce(20 bytes)
        Hash(16 bytes)

IOS 15.0

Here is an aggressive mode response from a Cisco 7206 running IOS 15.0(1)M

$ ike-scan -A  -M --id=xxxxx 192.168.227.150
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.227.150 Aggressive Mode Handshake returned
        HDR=(CKY-R=fb0d4ed48b067f10)
        SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
        VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0)
        VID=0ecae9c98b077f104bd0a338c2dd3d1d
        VID=09002689dfd6b712 (XAUTH)
        KeyExchange(128 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.227.150)
        Nonce(20 bytes)
        Hash(20 bytes)

Cisco IOS Vendor ID

Below is a sample of ten IOS Vendor IDs obtained from a Cisco 2503 with address 192.168.124.254 running IOS 12.0(28c), tested from address 192.168.124.7:

d43b367ab647876bd660fe906ade084f
d43b367a4364ccae0d21a59f2c4c8397
d43b367aca681207aedf6f7e2ff0465c
d43b367aa6bf6e7a664c8753d7cb1a97
d43b367aba95186f42b54a5633a36dd8
d43b367a7f9df7db34c8fd2e2c7e7d1b
d43b367a2c20548c0755ae5011d0a3ca
d43b367a52e7dbd10cb2457751ee3eb1
d43b367ab4d02aec2ebbedd67cfa7155
d43b367a5f546d13192e5a962330518b

And here are ten vendor IDs from the same router, running the same IOS version, tested from IP address 192.168.124.3:

354b9745bb21c796c449206384743d7e
354b9745d03391e60d59f0758a8348db
354b97454bdee79a490820ac26de60b6
354b9745038eaa34c236453b826f10a4
354b97453a705818f7da13388df04d03
354b974529ea9812f7d3fa907caf77c1
354b974595750413369a32ac7cabe1f5
354b9745a3b1e976581c0208a403152c
354b9745afaa5fd5127722dad70a7534
354b97452694f5b91c7c74aa70d08692

This IOS Vendor ID is also returned by the Cisco PIX.

Authentication Methods

Cisco IOS supports three authentication methods: Pre-Shared Key, RSA Sigature and RSA Encryption. The example below shows these three options on IOS 12.0(28c):

cisco#configure terminal
cisco(config)#crypto isakmp policy 10
cisco(config-isakmp)#authentication ?
  pre-share  Pre-Shared Key
  rsa-encr   Rivest-Shamir-Adleman Encryption
  rsa-sig    Rivest-Shamir-Adleman Signature

If no authentication method is specified, then RSA Signature is the default.

RSA Encryption is a standard authentication method, but it is not often implemented.

Whatever authentication method is configured, if Cisco IOS is not able to authenticate the peer then it will not accept the transform and will return NO-PROPOSAL-CHOSEN. This means that for Pre-Shared Key authentication there needs to be a configuration entry which specifies a key for the IP address that the request will be sent from, for example:

crypto isakmp key abc123 address 192.168.124.7

On later versions of IOS (12.2 for example), it is possible to specify a subnet mask in addition to an address, so you can create a PSK entry that will match any host with:

crypto isakmp key abc123 address 0.0.0.0 0.0.0.0

ISAKMP SA Lifetime

Lifetime in Seconds

Cisco IOS 12.3 will accept any lifetime in seconds between 1 and the maximum value that can be represented in 32-bits (0xFFFFFFFF). If no lifetime is specified, it responds with a default lifetime of 0x00015180 (86,400 seconds or 24 hours). If a lifetime of zero is specified, it ignores it and does not include any lifetime in its response.

IOS 12.3 does not accept variable length lifetimes with value lengths other than four bytes (32-bits) even if the value would otherwise be acceptable.

$ ike-scan -M --lifetime=none --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55e9ee2137)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)
$ ike-scan -M --lifetime=0 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55ddbb5a61)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK)
$ ike-scan -M --lifetime=1 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c552df560e7)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=1)
$ ike-scan -M --lifetime=0xffffffff --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c556f8f52be)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0xffffffff)
$ ike-scan -M --lifetime=0x0000000000000001 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55be980d59)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK)

Lifetime in Kilobytes

Cisco IOS 12.3 does not accept any lifetime in kilobytes, whatever the value. It will respond with NO-PROPOSAL-CHOSEN if one is included in the initiator's transform.

$ ike-scan -M --lifetime=none --lifesize=0 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=929a1c5553f116a0)
$ ike-scan -M --lifetime=none --lifesize=1 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=929a1c55b7801079)
$ ike-scan -M --lifetime=none --lifesize=1000 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=929a1c55dde7add6)

Transform Attribute ordering and re-writing

Cisco IOS 12.3 always returns the transform attributes in the order Enc [,key length], Hash, Group, Auth, Lifetime in Seconds irrespective of the order that the initiatior sends the attributes in.

It always includes a lifetime in seconds in its response transform, even if the initiator didn't include on in its transform.

Here are examples from a Cisco 2621 running IOS 12.3(22) that illustrate this behaviour. In the first example, we send the attributes in the order Enc, Hash, Auth, Group, and in the second we use the order Group, Auth, Hash, Enc. In both cases we observe that the Cisco returns the attributes in the order Enc, Hash, Group, Auth, Lifetime in Seconds.

$ ike-scan -M --trans="(1=1,2=1,3=1,4=1)" 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55a67f96de)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)
$ ike-scan -M --trans="(4=1,3=1,2=1,1=1)" 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55ee031f56)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration(4)=0x00015180)

Here is an example with a lifetime in seconds included in the initator's transform.

$ ike-scan -M --trans="(11=1,12=123,4=1,3=1,2=1,1=1)" 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55368dce1c)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=123)

Here is an example with a variable length encryption algorithm that includes the key length attribute.

$ ike-scan -M --trans="(14=128,11=1,12=123,4=1,3=1,2=1,1=7)" 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c551c851cf3)
        SA=(Enc=AES KeyLength=128 Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=123)

Aggressive Mode

Cisco IOS supports aggressive mode by default, but it is possible to disable it with the command crypto isakmp aggressive-mode disable.

Here is an example of an aggressive mode reply from a Cisco 2503 running IOS 12.0(28c). We need to specify a custom transform and Diffie-Hellman group 1 for the key exchange payload for this system.

$ ike-scan -A --timeout=5000 -r 1 --trans=1,1,1,1 --dhgroup=1 -M 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Aggressive Mode Handshake returned
        HDR=(CKY-R=21fc9167b36b42d4)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=d43b367ab36a42d4f70daed26fc88a68
        KeyExchange(96 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.254)
        Nonce(20 bytes)
        Hash(16 bytes)

Here is an example of an aggressive mode reply from a Cisco 2503 running IOS 12.2(29).

$ ike-scan -M -A -r 1 --trans=1,2,1,1 --dhgroup=1 --timeout=5000 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Aggressive Mode Handshake returned
        HDR=(CKY-R=00921e89d7b1f2d1)
        SA=(Enc=DES Hash=SHA1 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
        VID=f555b994d7b0f2d1c9e4f48ed246dd73
        KeyExchange(96 bytes)
        ID(Type=ID_IPV4_ADDR, Value=192.168.124.254)
        Nonce(20 bytes)
        Hash(20 bytes)

Response to Noncompliant and Malformed Packets

The responses below are from IOS 12.3(22) unless noted otherwise.

No Acceptable Transforms

$ ike-scan -M --trans=5,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=929a1c55197d4f94)

Bad IKE version

IOS ignores bad IKE versions in the ISAKMP header, and always returns the correct version (0x10) in the ISAKMP header of the response packet.

$ ike-scan -M --headerver=0x30 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c5500036bdc)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
$ ike-scan -M --headerver=0x11 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55e7665ba9)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Invalid DOI

Cisco IOS doesn't respond to the initiator for an invalid DOI.

$ ike-scan -M --doi=2 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

However, it does log the event:

01:57:45: ISAKMP (0:9): processing SA payload. message ID = 0
01:57:45: %CRYPTO-6-IKMP_BAD_DOI_SA: DOI value 2 from SA offer from 192.168.124.7   is invalid

Invalid Situation

$ ike-scan -M --situation=2 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55022890be)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Invalid Initiator Cookie

$ ike-scan -M --cookie=0000000000000000 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c550bf78bdf)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Invalid Flags

Cisco IOS doesn't respond to the initiator for invalid flags. It doesn't log anything either.

$ ike-scan -M --hdrflags=255 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.438 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

Invalid Protocol

Cisco IOS doesn't respond to the initiator for invalid protocol. It doesn't log anything either.

$ ike-scan -M --protocol=2 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 0.557 seconds (1.79 hosts/sec).  0 returned handshake; 0 returned notify

Invalid SPI

$ ike-scan -M --spisize=32 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c5582119402)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Non-Zero Reserved Fields

Cisco IOS doesn't respond to the initiator for Non-Zero reserved fields.

$ ike-scan -M --mbz=255 --trans=1,1,1,1 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)

Ending ike-scan 1.9: 1 hosts scanned in 2.437 seconds (0.41 hosts/sec).  0 returned handshake; 0 returned notify

However, it does log the event:

03:48:19: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.124.7   failed its sanity check or is malformed

NAT Traversal

NAT traversal support was added in IOS 12.2(13)T. Prior versions don't support NAT Traversal, and will not respond to NAT-T encapsulated requests on UDP port 4500.

IOS Versions 12.3 and later support NAT Traversal by default, and will respond to a NAT Traversal encapsulated IKE request. Here is an example of a NAT Traversal response from a Cisco 2621 running IOS 12.3(22):

$ ike-scan -M --nat-t 192.168.124.251
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c5517d11ec7)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

IVEv2

Cisco IOS does not support IKEv2 as of IOS 15.0.

Remote Access VPN Client

Other Interesting Behaviour

Responder Cookie

The first four bytes (eight hex digits) of the responder cookie from IOS are fixed for a given router, IOS version, and testing IP address. This is similar to Cisco PIX.

The example below illustrates this behaviour on a Cisco 2503 running IOS 12.0(28c):

$ perl -e 'print "192.168.124.254\n" x 5' |
  ike-scan --interval=5s --timeout=5000 -r 1 --trans=1,1,1,1 -M -f -
Starting ike-scan 1.9 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc91675c65d72d)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc91671181409c)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc9167a365f1a1)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc9167d613b809)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.254 Main Mode Handshake returned
        HDR=(CKY-R=21fc9167f3ea16d0)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Here is another example from a Cisco 2621 running IOS 12.3(22):

$ perl -e 'print "192.168.124.251\n" x 5' | ike-scan --trans=1,1,1,1 -M -f -
Starting ike-scan 1.9 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c55863b71e1)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c554b7c5693)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c5517342b76)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c550dbb4ec3)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.251 Main Mode Handshake returned
        HDR=(CKY-R=929a1c554706389f)
        SA=(Enc=DES Hash=MD5 Group=1:modp768 Auth=PSK LifeType=Seconds LifeDuration=28800)

Here is an example from a Cisco 1721 running IOS 12.4(13a):

$ perl -e 'print "192.168.124.248\n" x 5' | ike-scan --trans=5,1,1,2 -M -f -
Starting ike-scan 1.9.1 with 5 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132bbf50c276)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132b8d61eed9)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132b539e7e62)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132bf4849fc0)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
192.168.124.248 Main Mode Handshake returned
        HDR=(CKY-R=3065132b905bf774)
        SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

Default Configuration

IOS has a default IKE Phase-1 policy, which is assigned policy number 65535. This default policy is: Enc=DES, Hash=SHA1, Auth=RSA_Sig, Group=1. The example below shows the default policy on a Cisco 2503 running IOS 12.0(28c) with no explicit policy defined.

cisco#show crypto isakmp policy
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

Generally the user will define an IKE Phase-1 policy with the crypto isakmp policy command line configuration. In the example below, we define an acceptable policy of Enc=DES, Hash=MD5, Auth=PSK, Group=1. Note that any unspecified attributes (in this case Enc and Group) will remain at the default values.

crypto isakmp policy 10
 hash md5
 authentication pre-share

Each policy is matched in increasing numerical order, with the default policy always being last. After we have added policy number 10, the show crypto isakmp policy command shows:

cisco#show crypto isakmp policy
Protection suite of priority 10
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit

From IOS 12.4(20)T, any specific isakmp policy will disable the default policy. Prior to this version there was no way to disable or change the default policy.

If we send an unsupported transform of Enc=3DES, Hash=SHA1, Auth=PSK, Group=2 with the following ike-scan command we obtain the IKE debug output shown below, which shows how the Cisco matches against each policy in turn.

$ ike-scan --timeout=5000 -r 1 --trans=5,2,1,2 -M 192.168.124.254
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
192.168.124.254 Notify message 14 (NO-PROPOSAL-CHOSEN)
        HDR=(CKY-R=21fc9167fa299c4f)
*Mar  1 00:28:24.051: ISAKMP (0): received packet from 192.168.124.7 (N) NEW SA
*Mar  1 00:28:24.059: ISAKMP (11): processing SA payload. message ID = 0
*Mar  1 00:28:24.063: ISAKMP (11): Checking ISAKMP transform 1 against priority 10 policy
*Mar  1 00:28:24.063: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:28:24.067: ISAKMP:      hash SHA
*Mar  1 00:28:24.067: ISAKMP:      auth pre-share
*Mar  1 00:28:24.067: ISAKMP:      default group 2
*Mar  1 00:28:24.071: ISAKMP:      life type in seconds
*Mar  1 00:28:24.071: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Mar  1 00:28:24.075: ISAKMP (11): atts are not acceptable. Next payload is 0
*Mar  1 00:28:24.075: ISAKMP (11): Checking ISAKMP transform 1 against priority 65535 policy
*Mar  1 00:28:24.079: ISAKMP:      encryption 3DES-CBC
*Mar  1 00:28:24.079: ISAKMP:      hash SHA
*Mar  1 00:28:24.083: ISAKMP:      auth pre-share
*Mar  1 00:28:24.083: ISAKMP:      default group 2
*Mar  1 00:28:24.083: ISAKMP:      life type in seconds
*Mar  1 00:28:24.087: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
*Mar  1 00:28:24.091: ISAKMP (11): atts are not acceptable. Next payload is 0
*Mar  1 00:28:24.091: ISAKMP (11): no offers accepted!
*Mar  1 00:28:24.091: ISAKMP (11): SA not acceptable!
*Mar  1 00:28:24.095: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at 192.168.124.7
*Mar  1 00:28:24.099: ISAKMP (11): sending packet to 192.168.124.7 (R) MM_NO_STATE

Discovered Vulnerabilities