To test this feature, visit your live site.

How to remove SSH weak algorithms and not impact ipsec tunnels.

Hello, good evening. Thank you very much in advance for your help and support as always. Checking this link: https://live.paloaltonetworks.com/t5/general-topics/how-to-remove-ssh-weak-algorithms/td-p/285933#:~:text=Next%20Topic-,1%20ACCEPTED%20SOLUTION, -Reaper

Fair, but fair (murphy) I need to apply these settings at the SSH and SSL/TLS level in some PCI firewalls, which have a lot of IPSEC vpn tunnels, site to site (a lot I'm talking about more than 50 tunnels with a mix of suite of algorithms). Reviewing what a colleague/colleague comments, when applying the settings, he had problems with his vpn-site-to-site tunnels: This is in the Live Community Link: https://live.paloaltonetworks.com/t5/general-topics/how-to-remove-ssh-weak-algorithms/td-p/285933:

""""

... Exit from config mode by typing 'exit' > set ssh service-restart mgmt I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran: delete deviceconfig system ssh commit set ssh service-restart mgmt. and after a few minutes the tunnel came back up. Would running those commands have disabled a cipher suite used by this tunnel?"""""

I have the same case... where an asset vulnerability management tool detected these ssh encryption issues: SSH Weak Algorithms Supported: Has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys. I assure you that in the total number of ipsec tunnels of these firewalls, a mix, there will be everything, 3DES, SHA1, MD5... a little of everything, the issue is how do I make sure that the SSH and SSL/TLS configuration, when making the adjustments, remove the weak algorithms, especially in ssh, do not impact the ipsec tunnels, as happened to the colleague, who published in the live community, who had to choose to cancel/delete the adjustments made and go back to restart the ssh service and then the ipsec tunnels are working again.

Just these firewalls that I have to intervene are critical but very critical, effectively because of the multiple ipsec tunnels.

I look forward to your comments, support and/or suggestions.

Thank you Best regards

3 comments

Comments (3)

Reaper

Jul 06, 2022

Some of the cipher suites are shared and will also become unavailable for IPsec once you disable weak ciphers. The best (not easiest) way forward is upgrading the suites used by your VPN tunnels so they also use better encryption

MetgatzGR

Jul 06, 2022

Replying to

@Reaper Thank you Reaper for your prompt and timely response.

Does this impact on IPSEC VPN tunnels apply only for SSH related settings ? or does it also happen with SSL/TLS related ?

Thank you, I remain attentive, best regards

MetgatzGR

Jul 07, 2022

Replying to

@Reaper

Hello Reaper, thank you very much for your reply.

I set up a lab, with two PA VM-100 PAN-OS 9.1.2, I set up an IPSEC tunnel, I made sure it was up and OK. I used for this quite basic and weak encryption and authentication algorithms, sha1, md5, des, 3des and dhgroup1. The tunnel lifted OK without problems.

Subsequently to the tunnel above, I applied the disable both at ssl/tls and ssh level, the weak algorithms leaving this way the config:

SSL: show shared ssl-tls-service-profile CaTLS protocol-settings protocol-settings { min-version tls1-2; max-version max; auth-algo-sha1 no; enc-algo-3des no; enc-algo-rc4 no;

SSH MGT: admin@PA-VM# show deviceconfig system ssh ssh { ciphers { mgmt { aes256-ctr; aes256-gcm; } } default-hostkey { mgmt { key-type { ECDSA 256; } } } regenerate-hostkeys { mgmt { key-type { ECDSA { key-length 256; } } } } session-rekey { mgmt { interval 3600; } } mac { mgmt { hmac-sha2-256; hmac-sha2-512; } } kex { mgmt { ecdh-sha2-nistp521; } } } [edit] admin@PA-VM#

When I applied this, at no time did the tunnel go down ... at no time did the tunnel lose connectivity, and I set up the tunnel with weak algorithms. I even applied restart to the tunnel, restarted one of the firewalls ( also both firewalls ), applied the settings to both firewalls and the tunnel is established without problems. I tested with several combinations of algorithms, for example SHA1, MD5, AES128CBC, DES, 3DES and those of adjusting in both firewalls, the tunnel reconnected without problems. All this, that is to say all this hardening of weak algorithms, is at MGT and Web-gui MGT tls/ssl level, that is to say at Management Plane level, therefore it should not affect the dataplane at all, at least the logic dictates so.

Here my doubt, the issue of ipsec tunnels, after applying the hardening of ssh, the problem that had the colleague / colleague is a documented bug of some version ? was a very specific situation that happened to the colleague ? was it just a parallel issue out of control that happened or that problem occurs with version 8.0.X or 8.1.x but no longer with versions 9.1.X ? Since in my lab, I had no problem and I can connect via ssh without problems, with strong encryption and also at ssl level.

https://live.paloaltonetworks.com/t5/general-topics/how-to-remove-ssh-weak-algorithms/td-p/285933#:~:text=Found%20some%20article,deviceconfig%20system%20ssh

I remain attentive, thank you very much, best regards.

Forum: Forum