Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA vpn encryption

Posted on 2014-11-12
1
Medium Priority
?
451 Views
Last Modified: 2014-11-18
I have some L2L IPSEC vpn connections. What is the recommendation when it comes to choosing IKEv1 vs IKEv2, or the IKEv1 and IKEv2 policy and proposal and how does it work? Is there a benefit for having one or the other? when I run a show isakmp sa some tunnels come up as IKEv1 and other IKEv2.

for example is this a good connection?
IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Why does the show isakmp sa show IKEv1 connections display differently than the IKEv2 cvonnections, which have more detail?

IKEv1 SAs:
20  IKE Peer: (Remote IP)
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459        (Local IP)               (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/30 sec
Child sa: local selector  local subnet - /65535
          remote selector /65535
          ESP spi in/out:
0
Comment
Question by:tolinrome
1 Comment
 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 40439407
Hi,
ikev2 is the evolution of ikev1, adding more security and the like. Ikev1 is still a secure method and you should not worry, although in the future will get obsolete. It will take time because some old box does not support it and so ikev1 will survive for a while.
Here is a good article you may want to read:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

That said, you can get more details from show isakmp by adding "det", e.g. "show isakmp sa det".

The output you posted:
Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

is telling you a bunch of info:
encryption is AES with a key of 256 bit, the hash is SHA and the group is 5 (which is the highest security group); the authorization is got through PSK (Preshared key) which means that you are not using certificates but a password between vpn terminators which must be the same on both sides.
All in all is a very good encryption. It can be configured more securely by implementing certificates in the place of preshared key, but i believe it is not necessary as long as you have chosen a complex key (more than 10 characters including capital and normal letters, numbers and special carachters) and that you do not tell anybody about that key.

hope this clarify
max
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question