Solved: IPsec encryption proposal

alan-wong · ‎12-15-2012

Dear Cisco

I would like to know if I have only using IKEV2 to connect site to site VPN with Cisco 5505 device to connect few site. Which encryption method is better to choose with faster and stable IPsec encryption proposal

AES256, AES192, AES, 3DES, DES ?? which one is the best in IKEV2 site to site VPN tunnel?

Best regards

Alan

Jennifer Halim · ‎12-16-2012

AES is faster than DES algorithm, so i would rule out both DES or 3DES.

If you would like the most secure of the AES, then pls use AES256

View solution in original post

Jennifer Halim · ‎12-16-2012

AES is faster than DES algorithm, so i would rule out both DES or 3DES.

If you would like the most secure of the AES, then pls use AES256

Karsten Iwen · ‎12-17-2012

You shouldn't use DES any more, nowaday it is not far away from cleartext.
3DES won't be broken in the next time, but it's an outdated algorithm.

AES with all three bitlengths are fine. And they are all recommended on http://www.keylength.com/.

But instead of using AES256 I prefer AES128. Bruce Schneier once wrote in his blog that he assumes that the "security-margin" in AES128 will be higher because of weaknesses that are only present in AES256.

Sent from Cisco Technical Support iPad App

alan-wong · ‎12-17-2012

Dear Karsten

There is on option to select AES128 in IPsec Proposal. Can I use AES192 instead?

Best regards

Alan.

Jennifer Halim · ‎12-17-2012

AES with 128 bit key is presented as just AES in the IPSEC Proposal. So you can choose just AES.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/e.html#wp2028135