03-11-2024 06:16 AM
Hello,
I have a question regarding setting up an IPSec IKEv2 VPN tunnel on a Cisco 891f-k9 router. Currently, there is an IPSec IKEv1 tunnel configured on this router. I would like to migrate this to an IPSec IKEv2 tunnel. However, I am not entirely sure what factors I need to consider. The tunnel will be established between the router and a FortiGate firewall. I've read online about required computational resources for using higher DH groups. Does anyone have any tips on what considerations I should take into account for setting up the tunnel, any best practices?
For instance, what are commonly used or well-secured configurations for IPSec IKEv2 proposal sets and IKEv2 policies?
Kind regards,
MBestt
03-11-2024 06:25 AM
@MBestt you should be looking at AES-GCM, SHA-2, DH group 19,20,21 etc
This cisco guide has the recommended minimum IKEv2 proposals (slightly dated).
The Cisco Live presentation BRKSEC-3005 has the recommended NGE protocols https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3005.pdf
03-22-2024 01:16 AM
@Rob Ingram Thank you for providing this information. I have one more question. How do I know if my router has the required resources to use specific encryption, DH-group etc? Can I find this somewhere in Cisco documentation?
Kind regards,
MBestt
03-22-2024 01:29 AM
@MBestt there isn't much information for this older hardware, attached is a performance overview for the old router hardware, this may have some useful information.
03-22-2024 02:36 AM
each router support different IKE phase SA, you need to
Router# show crypto isakmp default policy
this give you hint about available DH/Encrypt/Hash
or you can use "?" under the isakmp policy and with ipsec transform
then select the one is more secure and accept by VPN Peer
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide