Oct 16 - Version 1.0.6:
- Fixed faulty IKE and IPsec lists
Oct 16 - Version 1.0.5:
- Reworked IKEv1 IKE Policy review
- Encryption Algorithms review
- Removed debug logging, instead, logging function is verbose aware now - future use
View more on the changelog file
To elevate the security standards, Cisco updated the acceptable algorithms that may be used to build VPN tunnels starting from firmware 6.7 and superior versions.
You may not be able to upgrade an FMC, or deploy post-upgrade with FDM, if you use any of the following FTD features:
Diffie-Hellman groups: 2, 5, and 24.
Group 5 continues to be supported in FMC deployments for IKEv1, but we recommend you change to a stronger option.
Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.
The NULL "encryption algorithm" (authentication without encryption, for testing purposes) continues to be supported in FMC deployments for both IKEv1 and IKEv2 IPsec proposals. However, it is no longer supported in IKEv2 policies.
Hash algorithms: MD5.
If you are still using these features in IKE proposals or IPsec policies, change and verify your VPN configuration before you upgrade.
If you have just a few VPNs configured, determining which VPNs must be modified is an easy task. However, if you need to generate a structured report and contact dozens (and sometimes hundreds) of VPN peers to inform them about the need to update their end, this task can consume hundreds of hours and examining the configurations manually is prone to human error.
The managed devices still running with these deprecated settings are unable to be upgraded past firmware 6.6.X, this poses a stability and security threat to your network environment.
Use the Cisco Secure Firewall Management Center (FMC) API to leverage the information about VPNs, automatically parse the unsecure configurations and create a log file with completed run details and a clean CSV file containing just the important information.
+-----------------------------------------------------+
| Start Program |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Generate FMC token |
| /api/fmc_platform/v1/auth/generatetoken |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Get a full list of all IKEv1 IPSEC Proposals |
| /api/fmc_config/v1/domain/{domainUUID}/object/ |
| ikev1ipsecproposals?offset=0&limit=4&expanded=true |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Get a full list of all IKEv2 IPSEC Proposals |
| /api/fmc_config/v1/domain/{domainUUID}/object/ |
| ikev2ipsecproposals?offset=0&limit=10&expanded=true|
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Get a full list of all IKEv1 IKE Policies |
| /api/fmc_config/v1/domain/{domainUUID}/object/ |
| ikev1policies?offset=0&limit=10&expanded=true |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Get a full list of all IKEv2 IKE Policies |
| /api/fmc_config/v1/domain/{domainUUID}/object/ |
| ikev2policies?offset=0&limit=10&expanded=true |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Loop (For Each IKEv1 and IKEv2 IKE Policy) |
| |
| +-----------------------------------------------------------+
| | Launch GET Request to Obtain IKE Settings |
| | /api/fmc_config/v1/domain/{domainUUID}/policy/ |
| | ftds2svpns/{objectId}/ikesettings/{ike_settings_id} |
| +-----------------------------------------------------------+
| |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| Loop (For Each VPN) |
| |
| +-----------------------------------------------------------+
| | Launch GET Request to Obtain VPN Details |
| | /api/fmc_config/v1/domain/{domainUUID}/policy/ |
| | ftds2svpns/{vpn_id}/ikesettings/{ike_settings_id} |
| +-----------------------------------------------------------+
| |
+-----------------------------------------------------+
V
+-----------------------------------------------------+
| End Program |
+-----------------------------------------------------+
- Cisco FMC API
- Python
git clone https://github.com/RenanHingel/fmc_unsupported_algorithms.gitFirst make sure that you have Python 3 installed on your machine. We will then be using venv to create an isolated environment with only the necessary packages.
pip install virtualenv
+++ Change to your project folder
cd fmc_unsupported_algorithms
+++ Create the venv
virtualenv venv
+++ Activate your venv
source venv/bin/activate
pip3 install -r requirements.txtpython3 get_vpn_requirements.py
- Renan Hingel (renanhingel@gmail.com)