Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
5
Helpful
5
Replies

Site to Site VPN with IKEV2 allows authentication through PSK at both side ?

Go to solution
subrun.jamil
Level 1
Level 1

‎03-21-2018 06:55 AM - edited ‎03-12-2019 05:07 AM

Hello All,

 

Looking at below link for Site to Site VPN with IKev2 , Cisco is saying for IKEv2 they allow asymmetric authentication like one side psk and other remote side certification authentication but still it also allows both side authentication with psk right ?  

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113486-ikev2-s2s-tunnel-00.html

 

Quote from above link

 

""The major difference between IKE versions 1 and 2 lies in terms of the authentication method they allow. IKEv1 allows only one type of authentication at both VPN ends (that is, either pre-shared key or certificate). However, IKEv2 allows asymmetric authentication methods to be configured (that is, pre-shared-key authentication for the originator, but certificate authentication for the responder) using separate local and remote authentication CLIs.

 

Further, you can have different pre-shared keys at both ends. The Local Pre-shared key at the HQ-ASA end becomes the Remote Pre-shared key at the BQ-ASA end. Likewise, the Remote Pre-shared key at the HQ-ASA end becomes the Local Pre-shared key at the BQ-ASA end. ""

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-21-2018 07:16 AM

Hi,
Yes, with IKEv2 you can have both sides authenticate using PSK
Yes, you can have the local PSK at the HQ become the remote PSK at the BQ and vice versa.
HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎03-21-2018 07:16 AM

Hi,
Yes, with IKEv2 you can have both sides authenticate using PSK
Yes, you can have the local PSK at the HQ become the remote PSK at the BQ and vice versa.
HTH
0 Helpful

Go to solution
subrun.jamil
Level 1
Level 1
In response to Rob Ingram

‎03-21-2018 08:45 AM

Thank RJI

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to subrun.jamil

‎03-23-2018 06:57 AM

I don't want to really start a new topic.
Can anyone reference me to a ASA document that explains the differences between different AES-256 encryption methods:

ipsec-proposal mode commands/options:
aes-256 aes-256 encryption
aes-gcm-256 aes-gcm-256 encryption
aes-gmac-256 aes-gmac-256 encryption

Thanks!
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Florin Barhala

‎03-23-2018 07:14 AM - edited ‎03-23-2018 07:27 AM

I use this Cisco doc for a list of recommended encryption algorithms.

 

aes-256 is the acceptable current standard

aes-gcm is NGE (next generation encryption). It also provides integrity, so no need to use hashing algorithm (SHA etc) as well.

 

There is no mention of aes-gmac in the above link, but according to the rfc GMAC only

provide data origin authentication, but not confidentiality

I've not come across aes-gmac before, not sure if it's widely used. Seems like Cisco (as per referenced link) recommend AES-GCM as their NGE algorithm.

 

HTH

Go to solution
Florin Barhala
Level 6
Level 6
In response to Rob Ingram

‎04-10-2018 01:43 AM

Thank you very much, RJI !

0 Helpful
Customers Also Viewed These Support Documents