Hi Gents,
I'm in the process of moving some S2S vpn on an ASA 5525, that involve changing of one Peer Public IP and I think that's a good idea to harden the secuirty a little bit in the process, configuring more secure cryptos.
I've already read what Cisco say on the topic:
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
And I think I'm going to use IKEv2, AES-CBC, SHA 256, DH 14.
My question is... how to configure PFS?
Should I use DH14 also on PFS? Is this well supported from Cisco and other vendors?
Or can I just go with the default DH2 without lowering too much the security level?
No comments:
Post a Comment