Long story short, our last PCI compliance scan came back with a failed item. We're using BM 3.9sp2. VPN is using NMAS authentication, NDS sequence for Client-to-site VPN.

The failed item references CVE-2002-1623 in regard to aggressive mode IKE and suggests we set the mode to normal -or- appeal the finding. Their words are, " If you already have a strong password policy for the PSKs, then you can appeal this vulnerability."

So I guess my questions are

1) can the IKE mode be changed? I've looked in iManager and don't see anything obvious.

2) I don't see any settings for managing PSKs for client-to-site VPN settings. What/where are the Pre-shared keys for client-to-site VPN? Are they even used for client-to-site?

3) Would anyone have any experiences they'd like to share in dealing with these PCI issues?

Any Hints or suggestions would be much apprecieated!
Thanks!
~Daniel

Here is verbatim scan description and remediation text:

description:
The remote host is a VPN concentrator that supports Aggressive mode IKE. By creating a series of IKE aggressive mode proposals, and sending those proposals to the VPN concentrator, an acceptable proposal for Aggressive Mode IKE was discovered. In Aggressive Mode IKE, the response from the VPN concentrator includes an authentication hash based on a pre-shared key (PSK). This hash is not encrypted, so if it is captured in transit, a dictionary or brute force attack against the hash can potentially allow for the recovery of the PSK, and the exposure potentially sensitive information from VPN sessions. In rare cases where the PSK is the sole means for authentication to the VPN, attackers can use it to authenticate against the VPN and intrude the network.

remediation:
The first option is to disable Aggressive Mode IKE for the VPN Concentrator. Sometimes, the ability to disable Aggressive Mode IKE isn't an option until later versions of the software, so ensure that the VPN Concentrator is using the latest software version. If you are unable to disable Aggressive Mode IKE, then you should ensure that the pre-shared keys are strong. Like any password, be sure to use complex PSK values, and rotate the keys as often as is practical. These are recommended to be an alphanumeric value greater than 16 characters. If you already have a strong password policy for the PSKs, then you can appeal this vulnerability.

CVE Code:
CVE-2002-1623

Evidence:
Encryption: DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 1
Encryption: DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 2
Encryption: DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 1
Encryption: DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 2
Encryption: DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 1
Encryption: DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 2
Encryption: DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 1
Encryption: DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: MD5, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: MD5, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: SHA1, Auth Mode: Pre-Shared Key, DH Group: Diffie-Hellman Group 2
Encryption: Triple-DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 1
Encryption: Triple-DES, Hash: SHA1, Auth Mode: RSA Signatures, DH Group: Diffie-Hellman Group 2