Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
264
Views
0
Helpful
3
Replies

Question regarding encryption for a VPN set up between two of our sites

Go to solution
Travis Capehart
Level 1
Level 1

‎09-09-2015 10:23 AM

We have two Cisco 2951 routers, one at our main location and one at a branch location.  An engineer from a local company came in and did all the setup work, including the VPN between the two of them.

For an upcoming review, the auditing firm wanted to know what kind of security/encryption was set up between the two routers.  The engineer is no longer available, so I have been going over our configuration files for each of the routers, and am having issues figuring out what to tell them (I'll be the first to admit that some of this stuff is over my head).

I am attaching the portions of the configs with the "crypto" information that he set up.  If you see anything wrong, or need anything additional, let me know. 

 

Thanks in advance!

 

 

 

Labels:
Preview file
3 KB
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-09-2015 01:08 PM

This is what you are using:

Phase1: 3DES, SHA1, PSK, DH Group2 (1024Bit), Lifetime 86400s

Phase2: 3DES, SHA1

That's nowadays considered legacy crypto but probably nothing to worry about. Still the crypto-config has to be considered that there is "room for improvement" ...

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎09-09-2015 01:08 PM

This is what you are using:

Phase1: 3DES, SHA1, PSK, DH Group2 (1024Bit), Lifetime 86400s

Phase2: 3DES, SHA1

That's nowadays considered legacy crypto but probably nothing to worry about. Still the crypto-config has to be considered that there is "room for improvement" ...

0 Helpful

Go to solution
Travis Capehart
Level 1
Level 1
In response to Karsten Iwen

‎09-10-2015 05:44 AM

Thank you for the quick reply!

What is the next step up in encryption that we could take to not be considered "legacy"?

The only reason I ask is that regulators can really hit us on something like that in the future.

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Travis Capehart

‎09-10-2015 05:57 AM

If you want to be at the top of encryption,then you should:

  • migrate to IKEv2
  • use DH group 14 or 16 (IKEv2 and PFS)
  • use SHA256
  • use AES-256 for IKEv2
  • use AES-256-GCM for the data-traffic
  • whatever the PSK was, use one that is longer and more complex ... ;-)

For a better manageability, you could migrate from crypto-maps to virtual tunnel-interfaces (VTIs).

0 Helpful
Customers Also Viewed These Support Documents