[Ach] Comments for VPN-section

Aaron Zauner azet at azet.org
Tue Dec 17 00:32:50 CET 2013

Hi Karsten,

On 16 Dec 2013, at 22:44, Karsten Iwen <ki at iwen.de> wrote:
> Some comments on the Cisco ASA-section in the VPN chapter:
> 1) IKEv2-proposals: There should be a note that most of the algorithms are only available on the actual X-models. If one of the still very often used legacy models (5505,5510,5520,5540,5550) is used, then there is no sha-256/384/512 and no aes-gcm. sha-256/384/512 *is* available on the policies.
Thanks, I was not aware of that - I currently only have a X-series model on my hand so I couldn’t try it elsewhere. I’ll make sure to include that in the Chapter.

Would you be willing to do another Configuration write-up for other Cisco devices?

> 2) IKEv2-proposals: Why is md5 included in the list of suggested algorithms? Even for compatibility with older systems SHA-1 should be enough.
Because it’s not possbile to remove it. Neither ASDM nor the IOS CLI supports that. It should be excluded due to the IKEv2 policies I’ve set.

> 3) SSL-settings: There should be a note that 3DES is still needed if AnyConnect is used under Windows XP.
We’re not supporting 3DES in the configurations in this paper.

> 4) A link to the Cisco "Next Generation Encryption" could be added: http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
Thanks, I’ll include that information.

I should maybe also add that RSA keys beyond 2048bit cannot be used on an ASA to handle SSL traffic.

> 5) Under Authentication you mention that the PSK should not be shorter then the output of the hash. Is there a reference for that?
cm wrote that part. CC’d

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131217/13399bc5/attachment.sig>

More information about the Ach mailing list