Cisco VPN Concentrator

[Pawel Krawczyk <kravietz () aba krakow pl>]

We're now testing an installation with Cisco 3000 VPN Concentrator
(releases 2.5.2) as the access point and Windows clients as the
leafnodes. The concentrator has only one port opened and it is 1723 for
PPTP.  We've analyzed the traffic between clients and the concentrator and
it doesn't seem to use PPTP, but only establishes a standard ISAKMP SA in
aggressive mode. That seems to be OK, as the algorithm used for IPSec SA
is ESP/3DES-MD5. The authentication used for ISAKMP SA seems to be shared
secret, but I'm not sure how it's configured - is that in the client?

We have further analyzed the concentrator itself and it seems to be
behaving quite strange. It answers ICMP Echo, it doesn't send RST back
for SYN to unused ports (SYN scan), but it sends RST in reply to ACK
sent to unused ports (ACK scan). What is even stranger is the reaction
to SYN/RST sequence as tried by hping2:

# hping2 -S -Q -p 1723 -s 1111 -k 10.153.0.9
1521655933 +192000
1521655933 +0
1521655933 +0
1521655933 +0
1521847933 +192000
1521847933 +0
1521847933 +0
1521847933 +0
1522039933 +192000
1522039933 +0
1522039933 +0
1522039933 +0

And the tcpdump output follows (only from two packets). The anomalies are:
- triple RST answer to every RST sent
- constant diff between the initial SYN+ACK sequence numbers

22:03:30.039305 10.153.73.202.1111 > 10.153.0.90.1723: S 1125733536:1125733536(0) win 512
22:03:30.042704 10.153.0.90.1723 > 10.153.73.202.1111: S 1521847933:1521847933(0) ack 1125733537 win 0 <mss 4096>
22:03:30.042736 10.153.73.202.1111 > 10.153.0.90.1723: R 1125733537:1125733537(0) win 0 (DF)
22:03:30.045876 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0
22:03:30.046095 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0
22:03:30.046305 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0
22:03:31.039299 10.153.73.202.1111 > 10.153.0.90.1723: S 1572340450:1572340450(0) win 512
22:03:31.046559 10.153.0.90.1723 > 10.153.73.202.1111: S 1522039933:1522039933(0) ack 1572340451 win 0 <mss 4096>
22:03:31.046589 10.153.73.202.1111 > 10.153.0.90.1723: R 1572340451:1572340451(0) win 0 (DF)
22:03:31.053144 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0
22:03:31.053634 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0
22:03:31.053859 10.153.0.90.1723 > 10.153.73.202.1111: R 0:0(0) ack 1 win 0

Note that we used static source port (-s -k), when we used different
or incremental ports the initial sequence numbers were also different.
So it seems like the initial SYN SEQ depends on the source port number?

Any comments and pointers about this device would be useful. Also, I'm
looking for pointers to weaknesses of PPTP (I know Schneier papers)
and ISAKMP aggressive mode with preshared key authentication.

VPN 3000 Concentrator release 2.5.2
model CVPN 3060-NR (non-redundant, 3 interfaces)

-- 
Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/