1. Home
  2. Cisco Systems
  3. isakmp key ******** address something/24 no-xauth no-config-mode

isakmp key ******** address something/24 no-xauth no-config-mode

Good evening,

Quick question on PIX 6.3.5,

isakmp key something-big address 195.238.10.0 netmask 255.255.255.0 no-xauth no-config-mode

  1. What is the maximum length of the Preshared Secret?
  2. 195.238.10.0/24 and not 255.255.255.255 ... if all my VPN peers are on that /24 subnet, what do I risk to open it wider? Well, I have most of the IP on the /24 but not all of those.
  3. no-xauth, no-config-mode, what does it mean really?

related to question 2., how do I track with an inside syslog server somebody coming from unowned IP trying to get in the VPN cloud?

Thank You,

Bidibule

Reply to
Bidibule
Loading thread data ...

128 is the documented length,
formatting link
but be aware that a number of other devices use a much smaller limit such as 32 or even 12. If I recall correctly, the Cisco VPN 3000 concentrator series cannot handle 128.

In practice, I've used preshared keys between PIXen up to 255 long and the only way I found out about the 128 limit is that Cisco's PIX configuration analysis tool mentioned it.

There is a risk of a dictionary type attack against your IKE. I seem to recall that in some previous code versions, there were IKE security bugs that argued for only allowing the key to match the hosts you need.

Also, if someone somehow manages to take over one of your boxes, if you are using the same preshared key for all of them, then that person has access to all of them (if they can start from the right IP range.) It is more secure to use different preshared key pairs between each unique pair of devices. Unfortunately, that results in a combinatorial explosion of keys...

Those are described at the URL above. The first has to do with disabling an authentication scheme that involves an interjection that humans can deal with easily but which PIX are not programmed to be able to send. The second has to do with disabling the local PIX from trying to push an IP address and netmask onto the remote device. Both options usually make sense for security gateway devices (e.g., PIX) but the options are usually not used for software clients.

Push your logging level up to debug and look for IKE negotiation failures.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.