Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Cisco ASA fast forward secrecy

Hi,

does the ASA support FAST FORWARD SECRECY for TLS ?

br Herbert

1 ACCEPTED SOLUTION

Accepted Solutions

ASDM - Configuration - Remote

ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings

Disable everthing but DHE stuff. Test again.

Michael Please rate all helpful posts
8 REPLIES

Hi Br Herbert, ASA supports

Hi Br Herbert,

 

ASA supports PFS ( Perfect Forward Secrecy) for IPSEC using Diffie-Hellman (DH) groups 1,2,5 and 7.

TLS is generally used in SSL connections.

 

Vishnu

Community Member

Hi,the question was really

Hi,

the question was really does the ASA support FAST FORWARD SECRECY for TLS ?

the output after checking with 

https://www.ssllabs.com/ssltest/analyze.html

of the ASA WebVPN solution

The server does not support Forward Secrecy with the reference browsers.  MORE INFO »

br Herbert

ASDM - Configuration - Remote

ASDM - Configuration - Remote Access VPN - Advanced - SSL Settings

Disable everthing but DHE stuff. Test again.

Michael Please rate all helpful posts
Community Member

Thank you, that works with

Thank you, that works with sslabs.com check.

After that the Anyconnect client does not work anymore.

Is that because of TLS 1.0 ?

Are you running AnyConnect 3

Are you running AnyConnect 3.1?

Michael Please rate all helpful posts
Community Member

yes

yes

Hm, sorry, i checked the

Hm, sorry, i checked the release notes for AnyConnect 3.0, theres stated that DHE is not supported for 3.0 and 2.5, so I guessed it's in 3.1, but the release notes [1] states:

Because the collective set of algorithms defined as National Security Agency (NSA) Suite B are becoming a standard, the AnyConnect IPsec VPN (IKEv2 only), PKI, 802.1X, and EAP now support them.

 

So, best practise would be to set DHE at the top and leave the other secure alg's for AnyConnect compat.

 

[1] http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html

Michael Please rate all helpful posts
Community Member

Anyconnect seems to work with

Anyconnect seems to work with Internet Explorer libraries. All other Browsers work with DHE if configured first before other ciphers.

thanks

 

3359
Views
10
Helpful
8
Replies
CreatePlease to create content