ASA vpn encryption

I have some L2L IPSEC vpn connections. What is the recommendation when it comes to choosing IKEv1 vs IKEv2, or the IKEv1 and IKEv2 policy and proposal and how does it work? Is there a benefit for having one or the other? when I run a show isakmp sa some tunnels come up as IKEv1 and other IKEv2.

for example is this a good connection?
IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Why does the show isakmp sa show IKEv1 connections display differently than the IKEv2 cvonnections, which have more detail?

IKEv1 SAs:
20  IKE Peer: (Remote IP)
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459        (Local IP)               (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/30 sec
Child sa: local selector  local subnet - /65535
          remote selector /65535
          ESP spi in/out:
LVL 7
tolinromeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
ikev2 is the evolution of ikev1, adding more security and the like. Ikev1 is still a secure method and you should not worry, although in the future will get obsolete. It will take time because some old box does not support it and so ikev1 will survive for a while.
Here is a good article you may want to read:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

That said, you can get more details from show isakmp by adding "det", e.g. "show isakmp sa det".

The output you posted:
Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

is telling you a bunch of info:
encryption is AES with a key of 256 bit, the hash is SHA and the group is 5 (which is the highest security group); the authorization is got through PSK (Preshared key) which means that you are not using certificates but a password between vpn terminators which must be the same on both sides.
All in all is a very good encryption. It can be configured more securely by implementing certificates in the place of preshared key, but i believe it is not necessary as long as you have chosen a complex key (more than 10 characters including capital and normal letters, numbers and special carachters) and that you do not tell anybody about that key.

hope this clarify
max
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.