Solved: Re: Ensuring our VPN is using NGE to protect data

johnf1 · ‎10-04-2017

What is the best way to ensure our ASA site to site VPN to another ASA is using NGE to protect the data?

When issuing the sh vpn-sessiondb l2l command we get the following:

Session Type: LAN-to-LAN

Connection : x.x.x.x

Index : 8075 IP Addr : x.x.x.x

Protocol : IKEv2 IPsecOverNatT

Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)DES

Hashing : IKEv2: (1)SHA512 IPsecOverNatT: (1)SHA1

Bytes Tx : 3292451979 Bytes Rx : 178875220

Login Time : 03:32:56 EDT Wed Oct 4 2017

Duration : 5h:42m:19s

Exactly what does this output mean?

Does this include Phase 1 and Phase 2 settings?

Does it mean Phase 1 settings are aes256 and Phase 2 are DES?

thanks...

Karsten Iwen · ‎10-05-2017

"none" is normal here as GCM is an "authenticated encryption". That means that the integrity-functions are build in the encryption process and there is no need to apply an additional HMAC.
Last Step: Is your PSK at least 50 characters long and really random? If yes, you are probably in the top one percent of the most secure VPNs.

View solution in original post

GioGonza · ‎10-04-2017

Hello @johnf1,

Test with the command "sh vpn-sessiondb detail l2l", you will get the information for Phase 1 and Phase 2.

HTH

Gio

Karsten Iwen · ‎10-04-2017

You are right with your assumption (but with IKEv2 there is no Phase1, Phase2; it's better to talk about the IKE-SA and the IPsec SAs):

The IKEv2 SA looks fine with AES256/SHA512, but your IPsec-SAs do not. Look at your crypto map what you assign with "set ikev2 ipsec-proposal". Delete all what is not needed. If you configured the VPNs with ASDM, it's very likely that you have plenty of unsecure elements in the config. You should also delete them from the CLI.

johnf1 · ‎10-05-2017

Thanks for the information. Very helpful. Does this now look appropriate?

wvdob-asa# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : x.x.x.x

Index : 8100 IP Addr : x.x.x.x

Protocol : IKEv2 IPsecOverNatT

Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256

Hashing : IKEv2: (1)SHA512 IPsecOverNatT: (1)SHA512

Bytes Tx : 755958797 Bytes Rx : 17834370

Login Time : 08:02:36 EDT Thu Oct 5 2017

Duration : 0h:18m:40s

IKEv2 Tunnels: 1

IPsecOverNatT Tunnels: 1

IKEv2:

Tunnel ID : 8100.1

UDP Src Port : 4500 UDP Dst Port : 4500

Rem Auth Mode: preSharedKeys

Loc Auth Mode: preSharedKeys

Encryption : AES256 Hashing : SHA512

Rekey Int (T): 86400 Seconds Rekey Left(T): 85280 Seconds

PRF : SHA512 D/H Group : 24

Filter Name :

IPsecOverNatT:

Tunnel ID : 8100.2

Local Addr : y.y.y.y/255.255.255.0/0/0

Remote Addr : z.z.z.z/255.255.255.0/0/0

Encryption : AES256 Hashing : SHA512

Encapsulation: Tunnel PFS Group : 24

Rekey Int (T): 28800 Seconds Rekey Left(T): 27680 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 3869759 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 755959073 Bytes Rx : 17834590

Pkts Tx : 555722 Pkts Rx : 370514

Karsten Iwen · ‎10-05-2017

Looks much better. You can also check if your peer supports AES in GCM, AES in CBC-mode as you are using it is not considered NGE:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

johnf1 · ‎10-05-2017

Great, thanks, how does this look?

We are concerned about the "none" in the 7th line Hashing .................................IPsecOverNatT: (1)none

wvdob-asa# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : x.x.x.x

Index : 8112 IP Addr : x.x.x.x

Protocol : IKEv2 IPsecOverNatT

Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES-GCM-256

Hashing : IKEv2: (1)SHA512 IPsecOverNatT: (1)none

Bytes Tx : 114776225 Bytes Rx : 2668194

Login Time : 09:12:20 EDT Thu Oct 5 2017

Duration : 0h:02m:05s

IKEv2 Tunnels: 1

IPsecOverNatT Tunnels: 1

IKEv2:

Tunnel ID : 8112.1

UDP Src Port : 4500 UDP Dst Port : 4500

Rem Auth Mode: preSharedKeys

Loc Auth Mode: preSharedKeys

Encryption : AES256 Hashing : SHA512

Rekey Int (T): 86400 Seconds Rekey Left(T): 86275 Seconds

PRF : SHA512 D/H Group : 24

Filter Name :

IPsecOverNatT:

Tunnel ID : 8112.2

Local Addr : y.y.y.y/255.255.255.0/0/0

Remote Addr : z.z.z.z/255.255.255.0/0/0

Encryption : AES-GCM-256 Hashing : none

Encapsulation: Tunnel PFS Group : 24

Rekey Int (T): 28800 Seconds Rekey Left(T): 28675 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4494818 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes

Bytes Tx : 115898396 Bytes Rx : 2690074

Pkts Tx : 83665 Pkts Rx : 57154

Karsten Iwen · ‎10-05-2017

"none" is normal here as GCM is an "authenticated encryption". That means that the integrity-functions are build in the encryption process and there is no need to apply an additional HMAC.
Last Step: Is your PSK at least 50 characters long and really random? If yes, you are probably in the top one percent of the most secure VPNs.

ajittrivedi · ‎06-28-2023

For me, the output of

show vpn-sessiondb l2l

is
Connection : ****
Index : 16456 IP Addr : ****
Protocol : IKEv2
Encryption : IKEv2: (1)AES256 Hashing : IKEv2: (1)SHA256
Bytes Tx : 0 Bytes Rx : 0
Login Time : 14:25:01 KSA Tue Jun 27 2023
Duration : 0h:00m:19s

why the value of Protocol is IKEv2 and not IKEv2 IPsecOverNatT?