Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3131
Views
3
Helpful
2
Replies

VPN encryption method

Daniel Leonard
Level 1
Level 1

‎12-22-2012 03:04 AM

Hi,

I've some VPN encryption method questions.

Is it recommended to use different encryption algorithms for both VPN phases (phase 1 and phase 2)?

I’ve read once that it is much secure to use different encryption algorithms for each phase.

In my opinion, I would go for the AES256 algorithm in both phases. But maybe it is a better idea to use AES128 or AES192 in the first phase and AES-256 in the second phase… I don't know.

After saying this, I’m also wondering about the best VPN encryption setup for a site-to-site VPN (IKEv2) when using a Cisco ASA like the 5510, 5520 or the 5515.

  • Which encryption method is recommended for phase 1 and phase 2
  • Which PFS / DH-group should be used (considering CPU load and security)

I hope that someone can put me in right direction.

Thanks,

Niels

Please rate or mark answered for helpful posts.
Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-22-2012 07:16 AM

Cisco has a decent whitepaper here with recommendations.

Personally, as long as both ends support the performance levels you need, I'd go with AES-256 in Phase 1 and Phase 2. mostly because it makes the security auditors happier to use the strongest available encryption. In reality, the security of your system is more susceptible to social engineering than it is to hacking the cryptographic algorithm.

You might also be interested in the firewall performance paper BRKSEC-3021 on CiscoLive 365. On page 68 it states:

ASA Crypto Operations

Most impact during tunnel establishment for IPSEC

‒RSA key generation is always done in software

‒Routine IPSEC/SSL operations are hardware accelerated

‒Hardware processing with keys up to 2048 bits on ASA558x

‒DH Group 5 and 2048 bit RSA are processed in software by default on 5550 and lower platforms; can be changed on ASA5510-5550

asa(config)# crypto engine large-mod-accel

Higher impact from SSL VPN compared to IPSEC

‒Very heavy CPU load from Application Proxy Engine

‒~128KB vs ~18KB of memory usage per connection

‒No multi-core support until ASA 9.0 software

More generally, think about defense in depth vs. the hard crunchy exterior (strong VPN) but with soft chewy insides (no Data Loss Protection, unsecured laptops without disk encryption, personally owned devices without any BYOD policies and systems, etc.)

Daniel Leonard
Level 1
Level 1

‎12-23-2012 11:26 PM

Hi Marvin,

Thank you for your opinion!
A few days ago I already found the "Cisco next generation encryption" documentation. I've decided to go for the AES256 in phase 1 and 2.

Thanks!

Sent from Cisco Technical Support iPhone App

Please rate or mark answered for helpful posts.
0 Helpful
Customers Also Viewed These Support Documents