Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
5
Helpful
3
Replies

VPN two VPN profile and FIPS mode

Go to solution
MrBeginner
Spotlight
Spotlight

‎08-26-2022 12:43 AM

Hi ,

I would like to ask about VPN and FIPS mode ?

If i have two Ipsec profile. I appled one profile to WAN interface .

I also applied another profile to VTI interface . Let me know it will double encrypted or it will conflict those two IPsec profile ?

Or it will work separately ? 

If i enable FIPS mode, all my existiong configuration will gone ?

Do i need to regenerate certificate for VPN ? 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎08-26-2022 02:50 AM - edited ‎08-26-2022 02:51 AM

@MrBeginner unlikely. If the VTI traffic does not match the crypto map traffic selectors is would not be unintentially encrypted. I seem to recall it's not recommended to enable both Policy and Route Based VPN on the same external interface.

Refer to this guide, if you want the ASA to internally enforce FIPS-compliant behavior, such as run power-on self-tests and bypass test then enable FIPS (requires a reboot). If you just want FIPS compliant ciphers, then just remove the non-compliant ciphers from the IKE/IPSec policies/proposals.

Refer here for more information. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3232.pdf

 

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-26-2022 12:54 AM

@MrBeginner so one crypto map and the other a VTI? If so traffic would be routed via the VTI assuming there are routes via the VTI. It would not be encrypted by the crypto map unless the traffic selectors in the crypto ACL match the VTI source and destination IP addresses.

I see no reason why the configuration would be lost, you could just define the FIPS compliant ciphers?

0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Rob Ingram

‎08-26-2022 02:36 AM

@Rob Ingram 

Yes your right. i have two different ipsec profile. I have one WAN interface . So we will use same public IP for all ipsec profile . But one profile will apply on VTI or GRE tunnel. One will apply on physical interface .I worry it will conflict each other on SA . So is it possible , one is apply on WAN interface and another will apply on VTI or GRE tunnel . 

will it be conflict each on SA stage ?

I just want to enable FIPS compliant ciphers . i just want to use FIPS compliant algorithms for encryption, hashing and signing .So without enable FIPS mode can i enable FIPS compliant algorithms ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MrBeginner

‎08-26-2022 02:50 AM - edited ‎08-26-2022 02:51 AM

@MrBeginner unlikely. If the VTI traffic does not match the crypto map traffic selectors is would not be unintentially encrypted. I seem to recall it's not recommended to enable both Policy and Route Based VPN on the same external interface.

Refer to this guide, if you want the ASA to internally enforce FIPS-compliant behavior, such as run power-on self-tests and bypass test then enable FIPS (requires a reboot). If you just want FIPS compliant ciphers, then just remove the non-compliant ciphers from the IKE/IPSec policies/proposals.

Refer here for more information. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3232.pdf

 

Customers Also Viewed These Support Documents