08-26-2022 12:43 AM
Hi ,
I would like to ask about VPN and FIPS mode ?
If i have two Ipsec profile. I appled one profile to WAN interface .
I also applied another profile to VTI interface . Let me know it will double encrypted or it will conflict those two IPsec profile ?
Or it will work separately ?
If i enable FIPS mode, all my existiong configuration will gone ?
Do i need to regenerate certificate for VPN ?
Solved! Go to Solution.
08-26-2022 02:50 AM - edited 08-26-2022 02:51 AM
@MrBeginner unlikely. If the VTI traffic does not match the crypto map traffic selectors is would not be unintentially encrypted. I seem to recall it's not recommended to enable both Policy and Route Based VPN on the same external interface.
Refer to this guide, if you want the ASA to internally enforce FIPS-compliant behavior, such as run power-on self-tests and bypass test then enable FIPS (requires a reboot). If you just want FIPS compliant ciphers, then just remove the non-compliant ciphers from the IKE/IPSec policies/proposals.
Refer here for more information. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3232.pdf
08-26-2022 12:54 AM
@MrBeginner so one crypto map and the other a VTI? If so traffic would be routed via the VTI assuming there are routes via the VTI. It would not be encrypted by the crypto map unless the traffic selectors in the crypto ACL match the VTI source and destination IP addresses.
I see no reason why the configuration would be lost, you could just define the FIPS compliant ciphers?
08-26-2022 02:36 AM
Yes your right. i have two different ipsec profile. I have one WAN interface . So we will use same public IP for all ipsec profile . But one profile will apply on VTI or GRE tunnel. One will apply on physical interface .I worry it will conflict each other on SA . So is it possible , one is apply on WAN interface and another will apply on VTI or GRE tunnel .
will it be conflict each on SA stage ?
I just want to enable FIPS compliant ciphers . i just want to use FIPS compliant algorithms for encryption, hashing and signing .So without enable FIPS mode can i enable FIPS compliant algorithms ?
08-26-2022 02:50 AM - edited 08-26-2022 02:51 AM
@MrBeginner unlikely. If the VTI traffic does not match the crypto map traffic selectors is would not be unintentially encrypted. I seem to recall it's not recommended to enable both Policy and Route Based VPN on the same external interface.
Refer to this guide, if you want the ASA to internally enforce FIPS-compliant behavior, such as run power-on self-tests and bypass test then enable FIPS (requires a reboot). If you just want FIPS compliant ciphers, then just remove the non-compliant ciphers from the IKE/IPSec policies/proposals.
Refer here for more information. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3232.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide