Wednesday, May 29, 2019

Cisco Phone VPN

It has taken way too much effort to get 8800 series phones to connect to my new FTD based 2110 firewalls. Apparently the order of the SSL cipher list is important to the 8800, but not the 7900. Finally figured it out but now I have a dilemma.

If I allow any TLS cipher better than DHE-RSA-AES256-SHA, an SSL tunnel is established using that cipher, AES256-GCM-SHA384 to be exact, but no DTLS tunnel is established. If I restrict my TLS1.2 cipher list to AES256-SHA, both an SSL tunnel and DTLS tunnel are established using that cipher.

My question is does any one have recommendations on what to do? Limit the cipher list to get DTLS tunnel, or allow better ciphers to be used and sacrifice DTLS for it?

I am about to go to bed, sorry if I don't respond timely.



No comments:

Post a Comment