[Ach] Comments for VPN-section

Karsten Iwen ki at iwen.de
Mon Dec 16 22:44:37 CET 2013

Hi all,

I'm Karsten, freelance trainer and consultant with focus on Cisco Security solutions. 

Some comments on the Cisco ASA-section in the VPN chapter:

1) IKEv2-proposals: There should be a note that most of the algorithms are only available on the actual X-models. If one of the still very often used legacy models (5505,5510,5520,5540,5550) is used, then there is no sha-256/384/512 and no aes-gcm. sha-256/384/512 *is* available on the policies.

2) IKEv2-proposals: Why is md5 included in the list of suggested algorithms? Even for compatibility with older systems SHA-1 should be enough.

3) SSL-settings: There should be a note that 3DES is still needed if AnyConnect is used under Windows XP.

4) A link to the Cisco "Next Generation Encryption" could be added: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

5) Under Authentication you mention that the PSK should not be shorter then the output of the hash. Is there a reference for that?

regards, Karsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131216/a125f8ff/attachment.sig>

More information about the Ach mailing list