09-11-2015 01:36 PM - edited 02-21-2020 08:27 PM
Hi all,
I was just wondering what kind of settings you would implement if you had all available options within this post by Cisco:
http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
I would probably choose to use:
AES-GCM
DH-2048
SHA384
Lifetime of 1800 seconds
Certificate authentication
Am I way off base to propose something like this, or would you agree it is probably solid? The lifetime/auth is what I'm most worried about.
09-11-2015 02:19 PM
It's nearly what I implemented for a couple of customers in the past. What did I differently:
09-11-2015 02:34 PM
Was your PSK a "set it and forget it" type key, or did you log it somewhere like a Password Vault piece of software? I'd be awfully afraid to lose something that complex.
Thanks for your input!
09-11-2015 03:39 PM
That depends. I typically use PSKs of 100 characters when I configure both sides of the VPN. And pasting a 100 character PSK to the router is not harder then pasting a 10 character PSK. These are typically "set and forget". If something has to be changed, I change it on both sides.
It's different with connections to other parties. The PSK is often negotiated through the telephone, and not as long as I would like them to have. I put these keys in a password safe to be able to restore them quickly if I have to change devices in an emergency.
09-15-2015 06:16 AM
I use certificates always. 384 bit ECDSA.
crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 20
prf sha384
lifetime seconds 28800
crypto ipsec ikev2 ipsec-proposal GOOD
protocol esp encryption aes-gcm-256
tunnel-group good_dynamic ipsec-attributes
peer-id-validate cert
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN-TRUST
crypto ca trustpoint VPN-TRUST
subject-name CN=deathpunch.aigrs.local
keypair VPN-TRUST
validation-usage ipsec-client
ocsp url http://10.234.237.176/ocsp
revocation-check ocsp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide