Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5228
Views
5
Helpful
3
Replies

How to configure NGE (Next Generation Encryption) for IPSec

sebastian.lemke
Level 1
Level 1

‎06-11-2015 07:41 AM - edited ‎02-21-2020 08:16 PM

Dear experts,

 

I am a little lost about how to implement Cisco's recommendations regarding Next Generation Encryption.

Referring to the "Table 1. Recommendations for Cryptographic Algorithms" I would like to configure the IKEv2 and IPSec on a Cisco IOS (XE) router (ISR G2 or ISR 4000).

Here are the relevant parts of my example configuration:

crypto ikev2 proposal IKE1
 encryption aes-cbc-256
 integrity sha256
 group 20

crypto ipsec transform-set TRANS esp-aes 256 esp-sha256-hmac
 mode transport

crypto ipsec profile IPSEC
 set transform-set TRANS
 set pfs group20

The referred page states "AES-CBC" as "Acceptable" only - "AES-CGM" is recommended instead. How can I configure AES-CGM in my IKE proposal and my ipsec transform-set?

Are all other parameters in my config "NGE-certified" or should I use other algorithms / parameters?

Labels:
0 Helpful
3 Replies 3

Abaji Rawool
Level 3
Level 3

‎06-15-2015 09:46 PM

Hi,

esp-gcm and esp-gmac algorithms are available for phase 2 (data encryption) as part of transform set


ASR1000(config)#cry ipsec transform-set TEST ?
  ah-md5-hmac      AH-HMAC-MD5 transform
  ah-sha-hmac      AH-HMAC-SHA transform
  ah-sha256-hmac   AH-HMAC-SHA256 transform
  ah-sha384-hmac   AH-HMAC-SHA384 transform
  ah-sha512-hmac   AH-HMAC-SHA512 transform
  comp-lzs         IP Compression using the LZS compression algorithm
  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)
  esp-aes          ESP transform using AES cipher
  esp-des          ESP transform using DES cipher (56 bits)
  esp-gcm          ESP transform using GCM cipher
  esp-gmac         ESP transform using GMAC cipher
  esp-md5-hmac     ESP transform using HMAC-MD5 auth
  esp-null         ESP transform w/o cipher
  esp-seal         ESP transform using SEAL cipher (160 bits)
  esp-sha-hmac     ESP transform using HMAC-SHA auth
  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth
  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth
  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

They are not available on phase 1 proposal

HTH

Abaji.

 

 

 

sebastian.lemke
Level 1
Level 1
In response to Abaji Rawool

‎06-16-2015 08:12 AM

Hi,

so the transform "esp-gcm" actually is AES-GCM?

For phase 1, I will stick to "aes-cbc-256" which is not rated NGE by Cisco.

Thanks

Sebastian

0 Helpful

sebastian.lemke
Level 1
Level 1
In response to sebastian.lemke

‎06-16-2015 08:30 AM

I found a good reference:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115730-flexvpn-suiteb-00.html

0 Helpful
Customers Also Viewed These Support Documents