[Ach] Section on IOS-VPN
L. Aaron Kaplan
kaplan at cert.at
Thu Jan 2 14:29:01 CET 2014
On Jan 2, 2014, at 2:15 PM, Karsten Iwen <ki at iwen.de> wrote:
> Hi all,
>
> I'm thinking about how to build the section on IOS-VPNs. One problem is that on IOS there are numerous ways to configure VPNs.
> Because its not practical to cover them all, the document should at least cover the commands that are needed to specify the used cryptography. But also there the config can only be partly complete because of the different VPN-styles. The shown config is only for site-to-site, remote access is not covered yet.
>
>
(...)
Okay, so I guess also for remote access , we might see a lot of compatibility issues with different clients?
Upon first inspection the settings look OK for me. Note that I am not a Cisco person, so I'll let others judge.
But yes, if they agree, I'd say send a pull request on github please.
a.
> ------------------- SNIP -------------------
>
> ISAKMP/IKEv1
> ========
> Tested with Version 15.0, 15.1, 15.2
>
> crypto isakmp policy 1
> encr aes 256
> hash sha256
> authentication pre-share
> group 14
> !
> crypto isakmp policy 2
> encr aes 256
> authentication pre-share
> group 14
> !
> crypto isakmp policy 3
> encr aes 256
> authentication pre-share
> group 5
> !
> crypto ipsec transform-set ESP-GCM256 esp-gcm 256
> crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
>
> crypto ipsec profile IPSEC-TUNNEL
> set transform-set ESP-GCM256 ESP-AES256-SHA
> set pfs group14
> !
> crypto map CMAP-NAME 10 ipsec-isakmp
> set transform-set ESP-GCM256 ESP-AES256-SHA
> set pfs group14
>
> Note1:
> This shows only a partial config. Subject to your VPN-style, the crypto-map and/or ipsec-profile needs additional configuration.
>
> Note2:
> On IOS, there are default-transforms and policies that allow legacy cryptography. You should always specify your own selection of parameters.
>
> Note3:
> This config has some fallback-elements that can be removed if only newer IOS-versions are used.
> You need an IOS 15.1(2)T or higher for HASH256/384/512 in ISAKMP policies and for transform-sets with ESP-GCM.
>
>
> IKEv2
> ===
> Tested with Versions 15.2, 15.4
>
> crypto ikev2 proposal AES256-SHA256-DH14
> encryption aes-cbc-256
> integrity sha256
> group 14
> !
> crypto ikev2 policy ONLY-STRONG-CRYPTO
> proposal AES256-SHA256-DH14
> !
> crypto ipsec transform-set ESP-GCM256 esp-gcm 256
> !
> crypto ipsec profile IPSEC-TUNNEL
> set transform-set ESP-GCM256
> set pfs group14
> !
> crypto map CMAP-NAME 10 ipsec-isakmp
> set transform-set ESP-GCM256
> set pfs group14
>
> Note1:
> This shows only a partial config. Subject to your VPN-style, the crypto-map and/or ipsec-profile needs additional configuration.
>
> Note2:
> For IKEv2, the fallback-config shown in the previous section is not needed as all IOS-routers with IKEv2-support also support the newer cryptography.
>
> ------------------- SNIP -------------------
>
> When approved, I think I can send it to the repository.
>
>
> regards, Karsten
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/27750bfa/attachment.sig>
More information about the Ach
mailing list