04-06-2017 08:34 PM - edited 03-12-2019 02:11 AM
Hello,
I am in need to verify that I have configured our ipsec tunnel to be FIPS compliant. Here is a sample that I created to make sure I am good:
crypto ipsec ikev2 ipsec-proposal testing
protocol esp encryption aes-256 aes-192
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal testing2
protocol esp encryption aes-256 aes-192
protocol esp integrity sha-512 sha-384 sha-256
I read the following document:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2176.pdf
I am not sure if I am reading it correctly but didn't know if I could get some sort of consensus with the pros.
Thanks
04-17-2017 07:21 AM
DISCLAIMER: I'm just a user of this site, not an admin, and not a Cisco representative. Take everything I write here with a grain of salt and a pound of skepticism.
The proposals look OK (if not identical), but there are two issues:
(1 of 2) There is not enough information to tell if the tunnel is compliant
Section 3.2.6, "Configure the security appliances such that only FIPS-approved algorithms are used for IPSec tunnels," requires review of proposal, policy, crypto map, show crypto output, etc.
For example, one cannot tell what Diffie-Hellman group is used, but the linked document states that 1, 2, and 5 are not FIPS 140-2 compliant. Please see Table 5, "Crytographic keys and CSPs."
(2 of 2) More information is required to confirm FIPS 140-2 secure operations.
This question seems to only be about 3.2.6, "Configure the security appliances such that only FIPS-approved algorithms are used for IPSec tunnels."
Per the linked document, one has to complete the following steps to confirm "Secure Operations"
3.1 Crypto Officer Guidance - System Initialization, steps 1-14.
3.2 Crypto Officer Guidance - System Configuration, steps 1-13.
3.3 Identifying Router Operation in an Approved Mode, steps 1-3.
The rationale is that if the tunnel is configured in a compliant manner, but all other requirements are not met, the device is still not compliant with FIPS 140-2.
Hope this helps!
Reference:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2176.pdf
http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-site2site.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175641
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide