Preconfiguration Checklist
As discussed in the VPN section of Chapter 1, "Introduction to Network Security," IPSec can use Internet Key Exchange (IKE) for key management and tunnel negotiation. IKE uses a combination of different Phase 1 and Phase 2 attributes that are negotiated between the peers. If any one of the attributes is misconfigured, the IPSec tunnel will fail to establish. It is therefore highly recommended that security professionals understand the importance of a preconfiguration checklist and discuss it with other network administrators in case the far end of the VPN tunnel is managed by a different organization.
Table 15-1 lists all the possible values of Phase 1 attributes that are supported by Cisco ASA. It also includes the default values for each attribute. Highlighting the options and parameters that will be configured on the other end of the VPN tunnel is recommended.
|
Attribute |
Possible Values |
Default Value |
|---|---|---|
|
Encryption |
DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit |
3DES 168-bit or DES 56-bit, if 3DES feature is not active |
|
Hashing |
MD5 or SHA |
SHA |
|
Authentication method |
Preshared keys RSA signature DSA signature |
Preshared keys |
|
DH group |
Group 1 768-bit field Group 2 1024-bit field Group 5 1536-bit field Group 7 ECC 163-bit field |
Group 2 1024-bit field |
|
Lifetime |
1202,147,483,647 seconds |
86,400 seconds |
Note
DH group 7 is used only for telecommuters who use VPN clients on PDAs.
For 3DES and AES encryption, you must have a VPN-3DES-AES feature set enabled license key.
In addition to the IKE parameters, the two IPSec devices also negotiate the mode of operation. Cisco ASA uses main mode as the default mode for the site-to-site tunnels but it can use aggressive mode if set up for it. After discussing Phase 1 attributes, it is important to highlight Phase 2 attributes for the VPN connection. The Phase 2 security associations (SAs) are used to encrypt and decrypt the actual data traffic. These SAs are also referred as the IPSec SAs. Table 15-2 lists all the possible Phase 2 attributes and their default values, offered by Cisco ASA.
|
Attribute |
Possible Values |
Default Values |
|---|---|---|
|
Encryption |
None DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit |
3DES 168-bit or DES 56-bit, if 3DES feature is not active |
|
Hashing |
MD5, SHA or None |
None |
|
Identity information |
Network protocol and/or port number |
No default parameter |
|
Lifetime |
1202,147,483,647 seconds 102,147,483,647 KB |
28800 seconds 4,608,000 KB |
|
Mode |
Tunnel or transport |
Tunnel |
|
PFS group |
None Group 1 768-bit DH prime modulus Group 2 1024-bit DH prime modulus Group 5 1536-bit DH prime modulus Group 7 ECC 163-bit field |
None |
Once you determine which Phase 1 and Phase 2 attributes to use, the next step is to configure the site-to-site tunnel.
Note
Advanced Encryption Standard (AES) is a new standard developed by two Belgian cryptographersJoan Daemen and Vincent Rijmen. AES is expected to replace the aging Data Encryption Standard (DES), which is commonly implemented by the IPSec vendors.
It is a best practice to use AES encryption over DES for enhanced security. Make sure that both IPSec devices support AES, because it is a fairly new standard.