Solved: SHA 1 to 2 and DH group migration

abushayeed.anwarali · ‎06-23-2017

Hi All,

In our current setup we are using the DMVPN to establish a connectivity between branch office to the Data Center and we are currently using SHA version 1 and DH group 2. As both the configuration seems to be deemed vulnerable to attack we are working to migrate to SHA 2 and DH group 14 and above and also we need are planning to configure the IKEv2. . Have copied my current configuration below for reference. And we are currently using IOS version 15.2(1)T2.1.

Please let me know what could be the best way(configuration) to go for an upgrade. interms of choosing the parameter and is there is any limitations or drawback found in the update version interms.

Waiting for the reply

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 60
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set gre_set esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec nat-transparency spi-matching
!
!
crypto ipsec profile gre_prof
set transform-set gre_set
set pfs group2

Philip D'Ath · ‎06-28-2017

GCM (Galois/Counter Mode (GCM)) is very very good. You should use it in preference to plain "aes 256".

When they created IKEv1 it was difficult to think of all the usage scenarios. As a result, some things that ended up being needed where not part of the standard. This resulted in defacto standards, which in the earlier days caused a lot of vendor inter-operability issues.

IKEv2 resolves most of that, and specifies more precisely how things works, and also streamlines some things.

I deploy IKEv2 as my first choice for VPNs, and IKEv1 as my second choice.

View solution in original post

Philip D'Ath · ‎06-23-2017

Is it possible to do a "big bang" and change all your nodes in one hit, or are you only able to do some at a time?

abushayeed.anwarali · ‎06-28-2017

Philip - We have multiple branch office across globe we can't change for all the locations at once we need to go one by one. In added to the we need to also migrate our DC parameters to the latest one.

So please suggest me accordingly

Philip D'Ath · ‎06-28-2017

Create a whole new tunnel on the DMVPN head end configured for IKEv2 only, using the new crypto parameters.

Then migrate each site, one by one, by moving it to the new tunnel system.

When finished, delete the old tunnel and crypto config on the head end.

abushayeed.anwarali · ‎06-28-2017

Thanks for the update Philip . if possible could you please tell me about what is the difference is using encryption "aes 256 " and aes 256-GCM".

And what is the advantage of using IKEv2 over IKE

Philip D'Ath · ‎06-28-2017

GCM (Galois/Counter Mode (GCM)) is very very good. You should use it in preference to plain "aes 256".

When they created IKEv1 it was difficult to think of all the usage scenarios. As a result, some things that ended up being needed where not part of the standard. This resulted in defacto standards, which in the earlier days caused a lot of vendor inter-operability issues.

IKEv2 resolves most of that, and specifies more precisely how things works, and also streamlines some things.

I deploy IKEv2 as my first choice for VPNs, and IKEv1 as my second choice.

abushayeed.anwarali · ‎06-28-2017

In my environment we are using Cisco ASR 1000 series in Datacenter (hub end) ,ISR 4000 series and 2911 & 2921 routers at spoke end whether IKEv2 will support in this platform

Philip D'Ath · ‎06-28-2017

As long as your 2900's are running at least 15.x code, they are highly likely to all support IKEv2.