Just to add my 1 penny on this.
Next Gen DH group to employee are 19,20,21. However, 14—Diffie-Hellman Group 14: 2048-bit modular exponential (MODP) group. Considered good protection for 192-bit keys. but preference would be give to 19,20,21.
Next Generation Cryptography this is a very useful document in regards to Next Gen and the Legacy VPN setting.
1. What are the CLI commands for making this change in Cisco ASA5555 ( Software Version 9.12(3)12
crypto ikev2 policy 25
group 14
I used the policy 25, if you have more policy on top or bottom they will sent to the peer anyway as it called the proposal which need to agreed before creating a secure channel.
I also recommand you to use the Perfect Forward Secrecy (PFS) group too in your vpn-tunnel. this will fall in crypto-map tunnel settings.
Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. This is an optional command.
example: crypto map outside_map x set pfs group20
2.Will there be any network impact if we go ahead and make these changes in existing network? If yes, what are they?
As long as you both side agree when setting need to change and you both agree on them in that case the tunnel will go down. in order to bring up the tunnel you have to generate some traffic. if there are already server and client in that case most probably the tunnel will come it self up. As said if you both side agreed on the change there shall be a blip in network tunnels.
In order to check if the tunnel is up again there are few command you can issue to check.
show crypto iskmp sa (This is for IKEV1)
show crypto ikev2 sa detail
show vpn-sessiondb detail l2l filter ipaddress X.X.X.X
show crypto ipsec sa peer X.X.X.X
please do not forget to rate.
