Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ASA vpn encryption

Posted on 2014-11-12
1
Medium Priority
?
423 Views
Last Modified: 2014-11-18
I have some L2L IPSEC vpn connections. What is the recommendation when it comes to choosing IKEv1 vs IKEv2, or the IKEv1 and IKEv2 policy and proposal and how does it work? Is there a benefit for having one or the other? when I run a show isakmp sa some tunnels come up as IKEv1 and other IKEv2.

for example is this a good connection?
IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Why does the show isakmp sa show IKEv1 connections display differently than the IKEv2 cvonnections, which have more detail?

IKEv1 SAs:
20  IKE Peer: (Remote IP)
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

IKEv2 SAs:

Session-id:1069, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
3008555459        (Local IP)               (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/30 sec
Child sa: local selector  local subnet - /65535
          remote selector /65535
          ESP spi in/out:
0
Comment
Question by:tolinrome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 40439407
Hi,
ikev2 is the evolution of ikev1, adding more security and the like. Ikev1 is still a secure method and you should not worry, although in the future will get obsolete. It will take time because some old box does not support it and so ikev1 will survive for a while.
Here is a good article you may want to read:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

That said, you can get more details from show isakmp by adding "det", e.g. "show isakmp sa det".

The output you posted:
Tunnel-id                 Local                Remote     Status         Role
3008555459           (Local IP)          (Remote IP)      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

is telling you a bunch of info:
encryption is AES with a key of 256 bit, the hash is SHA and the group is 5 (which is the highest security group); the authorization is got through PSK (Preshared key) which means that you are not using certificates but a password between vpn terminators which must be the same on both sides.
All in all is a very good encryption. It can be configured more securely by implementing certificates in the place of preshared key, but i believe it is not necessary as long as you have chosen a complex key (more than 10 characters including capital and normal letters, numbers and special carachters) and that you do not tell anybody about that key.

hope this clarify
max
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question