Preconfiguration Checklist

As discussed in the VPN section of Chapter 1, "Introduction to Network Security," IPSec can use Internet Key Exchange (IKE) for key management and tunnel negotiation. IKE uses a combination of different Phase 1 and Phase 2 attributes that are negotiated between the peers. If any one of the attributes is misconfigured, the IPSec tunnel will fail to establish. It is therefore highly recommended that security professionals understand the importance of a preconfiguration checklist and discuss it with other network administrators in case the far end of the VPN tunnel is managed by a different organization.

Table 15-1 lists all the possible values of Phase 1 attributes that are supported by Cisco ASA. It also includes the default values for each attribute. Highlighting the options and parameters that will be configured on the other end of the VPN tunnel is recommended.

Table 15-1. ISAKMP Attributes

Attribute

Possible Values

Default Value

Encryption

DES 56-bit

3DES 168-bit

AES 128-bit

AES 192-bit

AES 256-bit

3DES 168-bit or

DES 56-bit, if 3DES feature is not active

Hashing

MD5 or SHA

SHA

Authentication method

Preshared keys

RSA signature

DSA signature

Preshared keys

DH group

Group 1 768-bit field

Group 2 1024-bit field

Group 5 1536-bit field

Group 7 ECC 163-bit field

Group 2 1024-bit field

Lifetime

1202,147,483,647 seconds

86,400 seconds

Note

DH group 7 is used only for telecommuters who use VPN clients on PDAs.

For 3DES and AES encryption, you must have a VPN-3DES-AES feature set enabled license key.

In addition to the IKE parameters, the two IPSec devices also negotiate the mode of operation. Cisco ASA uses main mode as the default mode for the site-to-site tunnels but it can use aggressive mode if set up for it. After discussing Phase 1 attributes, it is important to highlight Phase 2 attributes for the VPN connection. The Phase 2 security associations (SAs) are used to encrypt and decrypt the actual data traffic. These SAs are also referred as the IPSec SAs. Table 15-2 lists all the possible Phase 2 attributes and their default values, offered by Cisco ASA.

Table 15-2. IPSec Attributes

Attribute

Possible Values

Default Values

Encryption

None

DES 56-bit

3DES 168-bit

AES 128-bit

AES 192-bit

AES 256-bit

3DES 168-bit or

DES 56-bit, if 3DES feature is not active

Hashing

MD5, SHA or None

None

Identity information

Network protocol and/or port number

No default parameter

Lifetime

1202,147,483,647 seconds

102,147,483,647 KB

28800 seconds

4,608,000 KB

Mode

Tunnel or transport

Tunnel

PFS group

None

Group 1 768-bit DH prime modulus

Group 2 1024-bit DH prime modulus

Group 5 1536-bit DH prime modulus

Group 7 ECC 163-bit field

None

Once you determine which Phase 1 and Phase 2 attributes to use, the next step is to configure the site-to-site tunnel.

Note

Advanced Encryption Standard (AES) is a new standard developed by two Belgian cryptographersJoan Daemen and Vincent Rijmen. AES is expected to replace the aging Data Encryption Standard (DES), which is commonly implemented by the IPSec vendors.

It is a best practice to use AES encryption over DES for enhanced security. Make sure that both IPSec devices support AES, because it is a fairly new standard.

Категории