Re: Any tips for transforming IKEv1 to IKEv2 on Cisco 891f-k9 router?

MBestt · ‎03-11-2024

Hello,

I have a question regarding setting up an IPSec IKEv2 VPN tunnel on a Cisco 891f-k9 router. Currently, there is an IPSec IKEv1 tunnel configured on this router. I would like to migrate this to an IPSec IKEv2 tunnel. However, I am not entirely sure what factors I need to consider. The tunnel will be established between the router and a FortiGate firewall. I've read online about required computational resources for using higher DH groups. Does anyone have any tips on what considerations I should take into account for setting up the tunnel, any best practices?

For instance, what are commonly used or well-secured configurations for IPSec IKEv2 proposal sets and IKEv2 policies?

Kind regards,

MBestt

Rob Ingram · ‎03-11-2024

@MBestt you should be looking at AES-GCM, SHA-2, DH group 19,20,21 etc

This cisco guide has the recommended minimum IKEv2 proposals (slightly dated).

The Cisco Live presentation BRKSEC-3005 has the recommended NGE protocols https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3005.pdf

MBestt · ‎03-22-2024

@Rob Ingram Thank you for providing this information. I have one more question. How do I know if my router has the required resources to use specific encryption, DH-group etc? Can I find this somewhere in Cisco documentation?

Kind regards,

MBestt

Rob Ingram · ‎03-22-2024

@MBestt there isn't much information for this older hardware, attached is a performance overview for the old router hardware, this may have some useful information.

MHM Cisco World · ‎03-22-2024

each router support different IKE phase SA, you need to

Router# show crypto isakmp default policy

this give you hint about available DH/Encrypt/Hash
or you can use "?" under the isakmp policy and with ipsec transform
then select the one is more secure and accept by VPN Peer

MHM