Solved

ASA vpn encryption

Posted on 2014-11-12
1
364 Views
Last Modified: 2014-11-18
I have some L2L IPSEC vpn connections. What is the recommendation when it comes to choosing IKEv1 vs IKEv2, or the IKEv1 and IKEv2 policy and proposal and how does it work? Is there a benefit for having one or the other? when I run a show isakmp sa some tunnels come up as IKEv1 and other IKEv2.

for example is this a good connection?
IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Why does the show isakmp sa show IKEv1 connections display differently than the IKEv2 cvonnections, which have more detail?

IKEv1 SAs:
20  IKE Peer: (Remote IP)
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459        (Local IP)               (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/30 sec
Child sa: local selector  local subnet - /65535
          remote selector /65535
          ESP spi in/out:
0
Comment
Question by:tolinrome
1 Comment
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 40439407
Hi,
ikev2 is the evolution of ikev1, adding more security and the like. Ikev1 is still a secure method and you should not worry, although in the future will get obsolete. It will take time because some old box does not support it and so ikev1 will survive for a while.
Here is a good article you may want to read:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

That said, you can get more details from show isakmp by adding "det", e.g. "show isakmp sa det".

The output you posted:
Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

is telling you a bunch of info:
encryption is AES with a key of 256 bit, the hash is SHA and the group is 5 (which is the highest security group); the authorization is got through PSK (Preshared key) which means that you are not using certificates but a password between vpn terminators which must be the same on both sides.
All in all is a very good encryption. It can be configured more securely by implementing certificates in the place of preshared key, but i believe it is not necessary as long as you have chosen a complex key (more than 10 characters including capital and normal letters, numbers and special carachters) and that you do not tell anybody about that key.

hope this clarify
max
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question