(xpost from /r/sysadmin)
Hi all,
I'm currently deploying always on VPN in my environment using IKEv2 device tunnels, and a Cisco ASA as the concentrator.
I've been able to get the VPN working, but I can see the Windows defaults are 3DES, SHA1 and 1024-bit DH parameters. Needless to say, this crypto is so weak you may as well just have none at all.
I'm trying to configure the ASA and the Windows client to use the AES-GCM encryption type, as well as 256-bit ECDH parameters, and SHA256 message authentication but I'm running in to some problems.
My ASA config has the following:
IKEv2 policy:
crypto ikev2 policy 60 encryption aes-gcm integrity null group 19 prf sha256 lifetime seconds 86400
IPsec proposal: crypto ipsec ikev2 ipsec-proposal ipsec-proposal protocol esp encryption aes-gcm aes-gcm-192 aes-gcm-256 protocol esp integrity sha-256
I've then configured the Windows client like so:
$connection = “[connection name]” Set-VpnConnectionIPsecConfiguration -ConnectionName $connection -AuthenticationTransformConstants AESGCM -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA256 -PFSgroup PFS2048 -Force
I've taken a packet capture and I can see matching proposals from the ASA and Windows client - but the connection never completes and seems to time out.
Has anyone have a working ASA config they could share? I'm thinking I must have missed something here.
No comments:
Post a Comment