02-26-2015 09:03 PM - edited 02-21-2020 08:06 PM
Hello
I'm updating crypto for all our vpn routers.
I'm picking the strongest algorithms as documented in the NextGen Encryption Guide
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
I would like to use Elliptical curve vs RSA where possible
We're using ASR1002x as head end hubs, and a mix of 881, 891, 891F, 3925(with ISM), 3945E and 4331
The above guide warns some routers cannot process some of the algorithms in HW, but doesn't provide details.
Does anyone have info on which algorithms to avoid on the ISRG2 891, 3925, 3945E ?
My current config on the 891s is
crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha512
group 14
rypto ikev2 profile test1
match fvrf INET
match certificate map1
identity local dn
authentication remote pre-share
authentication remote ecdsa-sig
authentication local ecdsa-sig
keyring local xxxx
crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha-hmac
crypto ipsec profile xxxxxx
set transform-set TRANSFORM1
set pfs group14
Thanks in advance
Solved! Go to Solution.
02-27-2015 01:36 AM
Wes,
Have a look here:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html
or look for suite-B support.
M.
02-27-2015 01:36 AM
Wes,
Have a look here:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html
or look for suite-B support.
M.
02-27-2015 01:39 PM
Thanks Marcin
This is a good help. But also poses some new questions.
It indicates the ISRG2/891 support ECDH and ECDSA in software.
Does this rule out using them in a production environment?
They are supposed to be stronger and more efficient, but i can't judge their performance.
AdHoc testing ECDH/ECDSA on an 891 doesn't seem to affect it much.
Or putting it a different way ..
What are the strongest ikev2 / ipsec encryption algorithms with the highest performance for 891/ISRG2/ISRG3/ASR1002x. ?
Assuming one of these platform will be the lowest common denominator.
My preference is to use GCM and Elliptical Curve where possible
Also .. I'd like to totally disable ikev1/isakmp.
There is no isakmp config and I've deleted the default isakmp proposals. Is that it?
02-28-2015 09:08 AM
What you want to avoid is encrypting your traffic in software. But since you want to use GCM ... that's not a problem.
IKE can be handled in software.... you might see you CPU shoot up every time IKE needs to re-negotiate (every 1 day by default) ... whenever you re-do your IPsec SA (every hour by default).
To disable IKEv1:
no crypto isakmp enable
tested on my 15.4T ... disabled it and checked that my IKEv2 session still came up after clearing ;]
03-02-2015 12:12 PM
Thanks Marcin
Re encryption perf - Perfect thank you
Re disabling isakmp
I tried 'no crypto isakmp enable' on my ASR running 3.13 and 891 running 15.4(3)M
New sessions wouldn't start and existing sessions dropped when the ipsec sa expired. ( i have PFS enabled)
I only have crypto ikev2 configured.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide