cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
730
Views
10
Helpful
4
Replies

Optimal IPSec configuration for site to site tunnels?

pdub206
Level 1
Level 1

Hi all,

I was just wondering what kind of settings you would implement if you had all available options within this post by Cisco:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

I would probably choose to use:

AES-GCM

DH-2048

SHA384

Lifetime of 1800 seconds

Certificate authentication

Am I way off base to propose something like this, or would you agree it is probably solid? The lifetime/auth is what I'm most worried about.

Throwing packets since 2012
4 Replies 4

It's nearly what I implemented for a couple of customers in the past. What did I differently:

  • I kept the lifetime for the IPsec SAs at 3600s
  • I used PSK because there was no CA or the CA was build for other purposes. But that didn't worry me as a PSK of about 100 random characters (small, capital, numbers, specials) is probably more then enough secure.

Was your PSK a "set it and forget it" type key, or did you log it somewhere like a Password Vault piece of software? I'd be awfully afraid to lose something that complex.

Thanks for your input!

Throwing packets since 2012

That depends. I typically use PSKs of 100 characters when I configure both sides of the VPN. And pasting a 100 character PSK to the router is not harder then pasting a 10 character PSK. These are typically "set and forget". If something has to be changed, I change it on both sides.

It's different with connections to other parties. The PSK is often negotiated through the telephone, and not as long as I would like them to have. I put these keys in a password safe to be able to restore them quickly if I have to change devices in an emergency.

 

Douglas Holmes
Level 1
Level 1

I use certificates always.  384 bit ECDSA. 

crypto ikev2 policy 1
 encryption aes-256
 integrity sha384
 group 20
 prf sha384
 lifetime seconds 28800

crypto ipsec ikev2 ipsec-proposal GOOD
 protocol esp encryption aes-gcm-256

tunnel-group good_dynamic ipsec-attributes
 peer-id-validate cert
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate VPN-TRUST

crypto ca trustpoint VPN-TRUST
subject-name CN=deathpunch.aigrs.local

keypair VPN-TRUST

validation-usage ipsec-client
ocsp url http://10.234.237.176/ocsp
revocation-check ocsp

 

 

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: