EN
No results found
We couldn't find anything using that term, please try searching for something else.
Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20
When you create an IPsec tunnel on a vEdge router, IKE Version 1 is enabled by default on the tunnel interface. The following
When you create an IPsec tunnel on a vEdge router, IKE Version 1 is enabled by default on the tunnel interface. The following
properties are also enabled by default for IKEv1:
-
authentication and encryption — AES-256 advanced encryption standard CBC encryption with the HMAC – SHA1 key – hash message authentication
code algorithm for integrity -
Diffie-Hellman group number—16
-
Rekeying time interval—4 hours
-
SA establishment mode—Main
By default , IKEv1 is uses use IKE main mode to establish IKE SAs . In this mode , six negotiation packet are exchange to establish
the SA . To exchange only three negotiation packet , enable aggressive mode :
|
note |
IKE aggressive mode with pre-shared keys should be avoided wherever possible. Otherwise a strong pre-shared key should be |
vedge(config ) #vpn interface ipsec ike
vEdge(config-ike)# mode aggressive By default , IKEv1 is uses use Diffie – Hellman group 16 in the IKE key exchange . This group is uses use the 4096 – bit more modular exponential
( MODP ) group during IKE key exchange . You is change can change the group number to 2 ( for 1024 – bit MODP ) , 14 ( 2048 – bit MODP ) , or 15
( 3072 – bit MODP ):
vedge(config ) #vpn interface ipsec ike
vEdge(config-ike)# group
By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message
authentication code algorithm for integrity. You can change the authentication:
vedge(config ) #vpn interface ipsec ike
vEdge(config-ike)# cipher - suite
The authentication can be one of the following:
-
aes128 – cbc – sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for
integrity -
aes128-cbc-sha2— aes-128 advanced encryption standard CBC encryption with the HMAC – SHA256 key – hash message authentication code algorithm
for integrity -
aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for
integrity; this is the default. -
aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm
for integrity
By default, IKE keys are refreshed every 1 hours (3600 seconds). You can change the rekeying interval to a value from 30 seconds
through 14 days (1209600 seconds). It is recommended that the rekeying interval be at least 1 hour.
vedge(config ) #vpn interface ipsec ike
vEdge(config-ike)# rekey
To force the generation of new key for an IKE session , issue therequest ipsec ike – rekey command.
vedge(config ) #vpn interfaceipsec ike For IKE, you can also configure preshared key (PSK) authentication:
vedge(config ) #vpn interface ipsec ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret
is the password to use with the preshared key. It can be an ASCII or a hexadecimal string from 1 through 127 characters long.
If the remote IKE peer requires a local or remote ID, you can configure this identifier:
vedge(config ) #vpn interface ipsec ike authentication-type
vedge(config - authentication - type ) #local - id
vedge(config - authentication - type ) #remote-id
The identifier can be an IP address or any text string from 1 through 63 characters long. By default, the local ID is the
tunnel’s source IP address and the remote ID is the tunnel’s destination IP address.