XAUTH Hybrid Mode – Dissected

Within a few years after Cisco acquired the original VPN Concentrator from Altiga Networks, a noted improvement was made in the way IPSec remote access VPN clients initiated connections. This improvement was named “Hybrid Mode Authentication” on the concentrator but is supported using the “Mutual Group Authentication” radio button on the connection entry screen on the Cisco IPSec client. We’ll briefly examine the motivation for this improvement, outline the mechanism and how it differs from the earlier “preshared key only” mode, and finally show where it’s configured on the ASA.

The use of both Internet Key Exchange (IKE) Aggressive Mode combined with Preshared Keys was proven to be vulnerable to “Man in the Middle” (MITM) attacks. This weakness was further compounded by public availability of tools for decrypting this key found in the .pcf file used by the Cisco IPSec client. You should check out Vulnerabilities of IPSec VPNs for more on these known vulnerabilities.

The IKE Hybrid mode mitigates the MITM threat by adding an identity certificate presented by the IPSec VPN server which must be validated at the client via a stored root or Certification Authority certificate. This mechanism is depicted below:

I) VPN Client —————–> VPN Server
Group Name
HASH (PSK)
IKE Proposals

II) VPN Client <—————— VPN Server Accepted Prop. Identity Cert III) VPN Client —————–> VPN Server
Encrypted/Hashed
ISAKMP SA sent after
ID Cert validated

Fundamentally, IKE Hybrid mode is merely Aggressive Mode with the use of a unidirectional (from the VPN server) certificate transmission added to the essentially unchanged transmission from the client of Group Name and hashed preshared key. Unlike Main Mode whereby the certificate transmission is truly an exchange (and an encrypted one at that!), the identity certificate is sent in the clear:

The trace above clearly shows the fields in the certificate. Since this represents II) in the outlined mechanism above, the two endpoints don’t yet have the necessary keying material to protect the transmission. For the sake of brevity, I omitted the other frames in the capture that show IKE Hybrid mode requires fragmentation of the UDP datagrams to carry all of the ISAKMP payload information (in addition to the certificate) originating from the VPN server.

Shown below is the screen in ASDM where the hybrid mode is configured. This screen corresponds to the isakmp ikev1-user-authentication hybrid CLI command.

While in ASDM, the IKE mode is chosen under “Connection Profiles”. There’s no corresponding command-line syntax for this phrase. Instead, the CLI command mentioned above is entered under the heading of tunnel-group <NAME> ipsec-attributes.

References:

Configuring the VPN Client using ASDM

In this article

Join the Conversation