ASA vpn encryption

I have some L2L IPSEC vpn connections. What is the recommendation when it comes to choosing IKEv1 vs IKEv2, or the IKEv1 and IKEv2 policy and proposal and how does it work? Is there a benefit for having one or the other? when I run a show isakmp sa some tunnels come up as IKEv1 and other IKEv2.

for example is this a good connection?
IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Why does the show isakmp sa show IKEv1 connections display differently than the IKEv2 cvonnections, which have more detail?

IKEv1 SAs:
20  IKE Peer: (Remote IP)
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459        (Local IP)               (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/30 sec
Child sa: local selector  local subnet - /65535
          remote selector /65535
          ESP spi in/out:
LVL 7
tolinromeAsked:
Who is Participating?
 
max_the_kingConnect With a Mentor Commented:
Hi,
ikev2 is the evolution of ikev1, adding more security and the like. Ikev1 is still a secure method and you should not worry, although in the future will get obsolete. It will take time because some old box does not support it and so ikev1 will survive for a while.
Here is a good article you may want to read:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

That said, you can get more details from show isakmp by adding "det", e.g. "show isakmp sa det".

The output you posted:
Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

is telling you a bunch of info:
encryption is AES with a key of 256 bit, the hash is SHA and the group is 5 (which is the highest security group); the authorization is got through PSK (Preshared key) which means that you are not using certificates but a password between vpn terminators which must be the same on both sides.
All in all is a very good encryption. It can be configured more securely by implementing certificates in the place of preshared key, but i believe it is not necessary as long as you have chosen a complex key (more than 10 characters including capital and normal letters, numbers and special carachters) and that you do not tell anybody about that key.

hope this clarify
max
0
All Courses

From novice to tech pro — start learning today.