Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6298
Views
10
Helpful
8
Replies

Cisco ASA fast forward secrecy

Go to solution
kerstin-534
Level 1
Level 1

‎04-22-2014 12:46 AM

Hi,

does the ASA support FAST FORWARD SECRECY for TLS ?

br Herbert

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Michael Muenz
Level 5
Level 5
In response to kerstin-534

‎04-22-2014 08:18 AM

ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings

Disable everthing but DHE stuff. Test again.

Michael Please rate all helpful posts

View solution in original post

8 Replies 8

Go to solution
Vishnu Sharma
Level 1
Level 1

‎04-22-2014 01:14 AM

Hi Br Herbert,

 

ASA supports PFS ( Perfect Forward Secrecy) for IPSEC using Diffie-Hellman (DH) groups 1,2,5 and 7.

TLS is generally used in SSL connections.

 

Vishnu

0 Helpful

Go to solution
kerstin-534
Level 1
Level 1
In response to Vishnu Sharma

‎04-22-2014 01:24 AM

Hi,

the question was really does the ASA support FAST FORWARD SECRECY for TLS ?

the output after checking with 

https://www.ssllabs.com/ssltest/analyze.html

of the ASA WebVPN solution

The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

br Herbert

Go to solution
Michael Muenz
Level 5
Level 5
In response to kerstin-534

‎04-22-2014 08:18 AM

ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings

Disable everthing but DHE stuff. Test again.

Michael Please rate all helpful posts

Go to solution
kerstin-534
Level 1
Level 1
In response to Michael Muenz

‎04-22-2014 08:34 AM

Thank you, that works with sslabs.com check.

After that the Anyconnect client does not work anymore.

Is that because of TLS 1.0 ?

0 Helpful

Go to solution
Michael Muenz
Level 5
Level 5
In response to kerstin-534

‎04-22-2014 12:15 PM

Are you running AnyConnect 3.1?

Michael Please rate all helpful posts
0 Helpful

Go to solution
kerstin-534
Level 1
Level 1
In response to Michael Muenz

‎04-23-2014 12:51 AM

yes

0 Helpful

Go to solution
Michael Muenz
Level 5
Level 5
In response to kerstin-534

‎04-23-2014 12:57 AM

Hm, sorry, i checked the release notes for AnyConnect 3.0, theres stated that DHE is not supported for 3.0 and 2.5, so I guessed it's in 3.1, but the release notes [1] states:

Because the collective set of algorithms defined as National Security Agency (NSA) Suite B are becoming a standard, the AnyConnect IPsec VPN (IKEv2 only), PKI, 802.1X, and EAP now support them.

 

So, best practise would be to set DHE at the top and leave the other secure alg's for AnyConnect compat.

 

[1] http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

Michael Please rate all helpful posts
0 Helpful

Go to solution
kerstin-534
Level 1
Level 1
In response to Michael Muenz

‎04-23-2014 02:56 AM

Anyconnect seems to work with Internet Explorer libraries. All other Browsers work with DHE if configured first before other ciphers.

thanks

 

0 Helpful
Customers Also Viewed These Support Documents