Devices running a vulnerable version of the software are affected if the following two conditions are verified:
- IKEv2 fragmentation is enabled
- The device is running Cisco IOS or Cisco IOS XE Software and is configured for any type of VPN based on IKEv2
Note: IKEv1-based VPNs are not affected by this vulnerability; however, in some
cases, enabling IKEv1 will automatically enable IKEv2.
A number of features use IKEv2, including different types of VPNs, such as the following:
- LAN-to-LAN VPN
- Remote access VPN (excluding SSLVPN)
- Dynamic Multipoint VPN (DMVPN)
- Group Encrypted Transport VPN (GETVPN)
To verify whether IKEv2 fragmentation is enabled, use the show running-config | include crypto ikev2 fragmentation
command and verify that it returns output.
The following example shows a device running Cisco IOS Software with crypto ikev2
router#show running-config | include crypto ikev2 fragmentation
crypto ikev2 fragmentation
: IKEv2 fragmentation is not enabled by default.
The preferred method to determine whether a device has been configured for IKEv2 is to issue the show ip sockets
or show udp
EXEC command. If the device has UDP port 500 or UDP port 4500 open, it is processing IKE packets.
In the following example, the device is processing IKE packets on UDP
port 500 and UDP port 4500, using either IP version 4 (IPv4) or IP
version 6 (IPv6):
router# show udp
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 --listen-- 192.168.130.21 500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 500 0 0 1020011 0
17 --listen-- 192.168.130.21 4500 0 0 1001011 0
17(v6) --listen-- UNKNOWN 4500 0 0 1020011 0
Cisco IOS Software will also process IKE packets on UDP port 848 (GDOI), using either IPv4 or IPv6, when the G-IKEv2 feature for GETVPN has been enabled.
Determining the Cisco IOS or Cisco IOS XE Software Version
To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device, use the show version command in the command-line interface, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The image name appears in parentheses followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.5(2)T1 with an installed image name of C2951-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
For information about the naming and numbering conventions for Cisco IOS Software releases, see White Paper: Cisco IOS and NX-OS Software Reference Guide.
No other Cisco products are currently known to be affected by this vulnerability.