Hi all. Can anyone please confirm the config required to set up a VPN that complies with Suite-B-GCM-256 on a Cisco ASA 5506-X? I have the following so far, need to check if I'm missing something.
crypto ipsec ikev2 ipsec-proposal AES-GCM-256 protocol esp encryption aes-gcm-256 protocol esp integrity null crypto map X.X.X.X 1 match address Y.Y.Y.Y crypto map X.X.X.X 1 set pfs group 20 crypto map X.X.X.X 1 set peer X.X.X.X crypto map X.X.X.X 1 set ikev2 ipsec-proposal AES-GCM-256 crypto map X.X.X.X interface outside crypto ikev2 policy 10 encryption aes-256 integrity sha384 group 20 prf sha384 lifetime seconds 86400 crypto ikev2 enable outside
I'm not 100% sure about "encryption aes-256", the RFC states AES-256 in CBC mode, but CBC isn't mentioned on the ASA. Is CBC implied in AES-256 on the ASA 5506-X?
Cheers!
No comments:
Post a Comment