Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site Wizard and Encryption levels?

Hi All, curious as to how the ASA negotiates encryption and hash values when using the ASDM site-to-site wizard.  The wizard appears to allow all possible combinations so if both sides are setup using the wizard defaults, are the agreed upon phase1/2 encryption and hash values random or is there some logic to what they select?  Reason I ask is because I noticed one tunnel is using AES256 while a different tunnel is using 3DES.  Both are ASA to ASA and both were setup using the ASDM site to site wizard.  Also, does it make more sense to limit both sides to a specific value?

Thanks! 

Everyone's tags (5)
5 REPLIES
Cisco Employee

Site-to-Site Wizard and Encryption levels?

You would actually need to choose the same encryption and hash value to match the remote side of the tunnel. If there is no matching encryption or hash policy, then the VPN tunnel would not be established.

So prior to configuring site-to-site tunnel, you would need to ensure that you have the same encryption and hash value agreed upon and configured on both end.

New Member

Site-to-Site Wizard and Encryption levels?

I understand that Jennifer, but when you use the site to site wizard, it appears to select all possible values so I'm wondering how the two sides agree upon which one to use in that scenario?

VIP Purple

Re: Site-to-Site Wizard and Encryption levels?

When multiple policies and transforms are available, the responding ASA (or router, same system) uses a priority to choose one of them.

For Phase I:

The Isakmp policies have Numbers. These are the priorities where the lowest number have the highest priorities. Assume both ASAs have two policies:

ASA1:

10: AES256, SHA, DH5, PSK, 86400s

20: DES, MD5, DH1, PSK, 86400s

ASA2:

10: DES, MD5, DH1, PSK, 86400s

20: AES256, SHA, DH5, PSK, 86400s

If ASA1 initiates the IPSec-session, then they would negotiate to DES, MD5 and DH1. But if ASA2 initiates the connection, then they negotiate to AES256, SHA, DH5. The responder of the session decides.

For Phase II:

There you can have multiple transforms listed in the "set transform-set"-command. Here the transforms at the beginning have a higher priority then the transforms at the end of the command.

What to take away from that:

1) Remove all unsecure policies and transforms because they could be choosen if a peer suggests only unsecure transforms.

2) The more secure policies/ransforms should always have a higher priority then the not so secure policies and transforms.

Sent from Cisco Technical Support iPad App


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: Site-to-Site Wizard and Encryption levels?

Thanks for the detailed explanation Karsten.  So let me ask this... For a site to site vpn that needs optimal throughput with minimal security, what phase 1 / 2 parameters make the most sense?  Secondly, how would one enforce that the site to site tunnel only use that set of parameters via ASDM?  Do I simply edit and remove all parameters except what I want to use under  Configuration / Site-To-Site VPN / Advanced / Crypto Maps  and IPSec Proposals (Transform Sets) ?

VIP Purple

Re: Site-to-Site Wizard and Encryption levels?

The encryption is done in hardware, so it doesn't really matter that much what you take from a performance standpoint. I would just go with AES128/SHA.

You can delete all transforms and policies that you don't need. The ASDM somtimes doesn't allow that, but it can be done from the CLI.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
401
Views
0
Helpful
5
Replies