03-21-2018 06:55 AM - edited 03-12-2019 05:07 AM
Hello All,
Looking at below link for Site to Site VPN with IKev2 , Cisco is saying for IKEv2 they allow asymmetric authentication like one side psk and other remote side certification authentication but still it also allows both side authentication with psk right ?
Quote from above link
""The major difference between IKE versions 1 and 2 lies in terms of the authentication method they allow. IKEv1 allows only one type of authentication at both VPN ends (that is, either pre-shared key or certificate). However, IKEv2 allows asymmetric authentication methods to be configured (that is, pre-shared-key authentication for the originator, but certificate authentication for the responder) using separate local and remote authentication CLIs.
Further, you can have different pre-shared keys at both ends. The Local Pre-shared key at the HQ-ASA end becomes the Remote Pre-shared key at the BQ-ASA end. Likewise, the Remote Pre-shared key at the HQ-ASA end becomes the Local Pre-shared key at the BQ-ASA end. ""
Solved! Go to Solution.
03-21-2018 07:16 AM
03-21-2018 07:16 AM
03-21-2018 08:45 AM
Thank RJI
03-23-2018 06:57 AM
03-23-2018 07:14 AM - edited 03-23-2018 07:27 AM
I use this Cisco doc for a list of recommended encryption algorithms.
aes-256 is the acceptable current standard
aes-gcm is NGE (next generation encryption). It also provides integrity, so no need to use hashing algorithm (SHA etc) as well.
There is no mention of aes-gmac in the above link, but according to the rfc GMAC only
provide data origin authentication, but not confidentiality
I've not come across aes-gmac before, not sure if it's widely used. Seems like Cisco (as per referenced link) recommend AES-GCM as their NGE algorithm.
HTH
04-10-2018 01:43 AM
Thank you very much, RJI !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide