[Ach] Section on IOS-VPN

Karsten Iwen ki at iwen.de
Thu Jan 2 14:15:17 CET 2014


Hi all,

I'm thinking about how to build the section on IOS-VPNs. One problem is that on IOS there are numerous ways to configure VPNs. Because its not practical to cover them all, the document should at least cover the commands that are needed to specify the used cryptography. But also there the config can only be partly complete because of the different VPN-styles. The shown config is only for site-to-site, remote access is not covered yet.


------------------- SNIP -------------------

ISAKMP/IKEv1
========
Tested with Version 15.0, 15.1, 15.2

crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 14
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 14
!
crypto isakmp policy 3
 encr aes 256
 authentication pre-share
 group 5
!
crypto ipsec transform-set ESP-GCM256 esp-gcm 256
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile IPSEC-TUNNEL
 set transform-set ESP-GCM256 ESP-AES256-SHA
 set pfs group14
!
crypto map CMAP-NAME 10 ipsec-isakmp
 set transform-set ESP-GCM256 ESP-AES256-SHA
 set pfs group14

Note1:
This shows only a partial config. Subject to your VPN-style, the crypto-map and/or ipsec-profile needs additional configuration.

Note2:
On IOS, there are default-transforms and policies that allow legacy cryptography. You should always specify your own selection of parameters.

Note3:
This config has some fallback-elements that can be removed if only newer IOS-versions are used.
You need an IOS 15.1(2)T or higher for HASH256/384/512 in ISAKMP policies and for transform-sets with ESP-GCM.


IKEv2
===
Tested with Versions 15.2, 15.4

crypto ikev2 proposal AES256-SHA256-DH14
 encryption aes-cbc-256
 integrity sha256
 group 14
!
crypto ikev2 policy ONLY-STRONG-CRYPTO
 proposal AES256-SHA256-DH14
!
crypto ipsec transform-set ESP-GCM256 esp-gcm 256
!
crypto ipsec profile IPSEC-TUNNEL
 set transform-set ESP-GCM256
 set pfs group14
!
crypto map CMAP-NAME 10 ipsec-isakmp
 set transform-set ESP-GCM256
 set pfs group14

Note1:
This shows only a partial config. Subject to your VPN-style, the crypto-map and/or ipsec-profile needs additional configuration.

Note2:
For IKEv2, the fallback-config shown in the previous section is not needed as all IOS-routers with IKEv2-support also support the newer cryptography.

------------------- SNIP -------------------

When approved, I think I can send it to the repository.


regards, Karsten

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 671 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/c49533d3/attachment.sig>


More information about the Ach mailing list