Re: Site-to-Site Wizard and Encryption levels?

dkraut · ‎08-24-2012

Hi All, curious as to how the ASA negotiates encryption and hash values when using the ASDM site-to-site wizard. The wizard appears to allow all possible combinations so if both sides are setup using the wizard defaults, are the agreed upon phase1/2 encryption and hash values random or is there some logic to what they select? Reason I ask is because I noticed one tunnel is using AES256 while a different tunnel is using 3DES. Both are ASA to ASA and both were setup using the ASDM site to site wizard. Also, does it make more sense to limit both sides to a specific value?

Thanks!

Jennifer Halim · ‎08-24-2012

You would actually need to choose the same encryption and hash value to match the remote side of the tunnel. If there is no matching encryption or hash policy, then the VPN tunnel would not be established.

So prior to configuring site-to-site tunnel, you would need to ensure that you have the same encryption and hash value agreed upon and configured on both end.

dkraut · ‎08-24-2012

I understand that Jennifer, but when you use the site to site wizard, it appears to select all possible values so I'm wondering how the two sides agree upon which one to use in that scenario?

Karsten Iwen · ‎08-24-2012

When multiple policies and transforms are available, the responding ASA (or router, same system) uses a priority to choose one of them.

For Phase I:

The Isakmp policies have Numbers. These are the priorities where the lowest number have the highest priorities. Assume both ASAs have two policies:

ASA1:

10: AES256, SHA, DH5, PSK, 86400s

20: DES, MD5, DH1, PSK, 86400s

ASA2:

10: DES, MD5, DH1, PSK, 86400s

20: AES256, SHA, DH5, PSK, 86400s

If ASA1 initiates the IPSec-session, then they would negotiate to DES, MD5 and DH1. But if ASA2 initiates the connection, then they negotiate to AES256, SHA, DH5. The responder of the session decides.

For Phase II:

There you can have multiple transforms listed in the "set transform-set"-command. Here the transforms at the beginning have a higher priority then the transforms at the end of the command.

What to take away from that:

1) Remove all unsecure policies and transforms because they could be choosen if a peer suggests only unsecure transforms.

2) The more secure policies/ransforms should always have a higher priority then the not so secure policies and transforms.

Sent from Cisco Technical Support iPad App

dkraut · ‎08-28-2012

Thanks for the detailed explanation Karsten. So let me ask this... For a site to site vpn that needs optimal throughput with minimal security, what phase 1 / 2 parameters make the most sense? Secondly, how would one enforce that the site to site tunnel only use that set of parameters via ASDM? Do I simply edit and remove all parameters except what I want to use under Configuration / Site-To-Site VPN / Advanced / Crypto Maps and IPSec Proposals (Transform Sets) ?

Karsten Iwen · ‎08-28-2012

The encryption is done in hardware, so it doesn't really matter that much what you take from a performance standpoint. I would just go with AES128/SHA.

You can delete all transforms and policies that you don't need. The ASDM somtimes doesn't allow that, but it can be done from the CLI.