Solved: Supported HW IKEV2/IPSEC algorithims in ISR G2 and new G3(43xx)

Wes Smith · ‎02-26-2015

Hello

I'm updating crypto for all our vpn routers.

I'm picking the strongest algorithms as documented in the NextGen Encryption Guide

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

I would like to use Elliptical curve vs RSA where possible

We're using ASR1002x as head end hubs, and a mix of 881, 891, 891F, 3925(with ISM), 3945E and 4331

The above guide warns some routers cannot process some of the algorithms in HW, but doesn't provide details.

Does anyone have info on which algorithms to avoid on the ISRG2 891, 3925, 3945E ?

My current config on the 891s is

crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha512
group 14

rypto ikev2 profile test1

match fvrf INET
match certificate map1
identity local dn
authentication remote pre-share
authentication remote ecdsa-sig
authentication local ecdsa-sig
keyring local xxxx

crypto ipsec transform-set TRANSFORM1 esp-aes 256 esp-sha-hmac

crypto ipsec profile xxxxxx
set transform-set TRANSFORM1
set pfs group14

Thanks in advance

Marcin Latosiewicz · ‎02-27-2015

Wes,

Have a look here:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

or look for suite-B support.

M.

View solution in original post

Marcin Latosiewicz · ‎02-27-2015

Wes,

Have a look here:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

or look for suite-B support.

M.

Wes Smith · ‎02-27-2015

Thanks Marcin

This is a good help. But also poses some new questions.

It indicates the ISRG2/891 support ECDH and ECDSA in software.

Does this rule out using them in a production environment?

They are supposed to be stronger and more efficient, but i can't judge their performance.

AdHoc testing ECDH/ECDSA on an 891 doesn't seem to affect it much.

Or putting it a different way ..

What are the strongest ikev2 / ipsec encryption algorithms with the highest performance for 891/ISRG2/ISRG3/ASR1002x. ?
Assuming one of these platform will be the lowest common denominator.

My preference is to use GCM and Elliptical Curve where possible

Also .. I'd like to totally disable ikev1/isakmp.

There is no isakmp config and I've deleted the default isakmp proposals. Is that it?

Marcin Latosiewicz · ‎02-28-2015

What you want to avoid is encrypting your traffic in software. But since you want to use GCM ... that's not a problem.

IKE can be handled in software.... you might see you CPU shoot up every time IKE needs to re-negotiate (every 1 day by default) ... whenever you re-do your IPsec SA (every hour by default).

To disable IKEv1:

no crypto isakmp enable

tested on my 15.4T ... disabled it and checked that my IKEv2 session still came up after clearing ;]

Wes Smith · ‎03-02-2015

Thanks Marcin

Re encryption perf - Perfect thank you

Re disabling isakmp

I tried 'no crypto isakmp enable' on my ASR running 3.13 and 891 running 15.4(3)M

New sessions wouldn't start and existing sessions dropped when the ipsec sa expired. ( i have PFS enabled)

I only have crypto ikev2 configured.