Supported IPsec Parameters
Cisco Secure Access uses the IPsec protocol for tunneling traffic. IPsec has multiple components and one of the core components is Internet Key Exchange (IKE). IKE manages negotiation with peers, authentication, and certificate exchanges. IKE maintains the session by using Dead Peer Detection (DPD) as per RFC 5996. Secure Access supports IKEv2, which is faster and more secure than IKEv1.
Secure Access supports the configuration of certain IPsec parameters to deploy a network tunnel. Even if a device can establish an IPsec tunnel to Secure Access, we do not guarantee that the tunnel is compatible. For example, if the tunnel enables Perfect Forward Secrecy (PFS), you can establish a tunnel, but in the event of reconnection, the tunnel may fail to rekey and lose service. We recommend that you test the tunnel connectivity thoroughly before putting any tunnel into production.
| Components | IKEv2 (Phase I) (no IKEv1 support) | ESP (Phase II) |
|---|---|---|
| Encryption | AES-256-16 (GCM), AES-256-8 (GCM), AES-128-16 (GCM), AES-128-8 (GCM), AES-128(CBC), AES-256(CBC) | AES-256-16(GCM), AES-128-16(GCM), AES-256(CBC), AES-128(CBC), NULL(GCM) - AES-256 GMAC, NULL(GCM) - AES-192 GMAC, NULL(GCM) - AES-128 GMAC NULL(CBC) |
| Hashing | SHA256, SHA1 | SHA256, SHA1 |
| DH Group | 20, 19, 15 14 | 20, 19, 15, 14 |
| Authentication | Pre-Shared Key (PSK) | N/A |
| Protocol | N/A | ESP in UDP (NAT-T) (Port - UDP 4500) |
| Total Child SAs Supported | N/A | 1 |
| Lifetime | Based on client settings (IKE default is 4 hours) | Based on client settings (Child SA default is one hour) |
| Perfect Forward Secrecy (PFS) | N/A | Allowed (Ciphers configured with both PFS and non-PFS.) Note: If the remote end prefers to negotiate PFS, it has to set the child rekey timer lower than the head end and/or allow both PFS and non-PFS. Reason: CNHE prefers non-PFS. We configured both, but if the other side wants PFS, we can negotiate. |
| DPD Timeouts | 30 seconds (back_off = 2, retransmit timeout = 2, retries = 5) (Maximum DPD timeout = 156 seconds) | N/A |
| IP fragmentation | Not supported | Not supported |
| IKE Fragmentation (RFC 7383) | Enabled | N/A |
| Extended Sequence Number (ESN) | N/A | Allowed and preferred |
Recommendations are in Bold.
Note: Secure Access routing platforms are optimized for Galois/Counter Mode (GCM) encryption. Thus, we recommend that you use GCM encryption for maximum throughput. Using cipher block chaining (CBC) may result in lower throughput. Performance is subject to hardware and configurations.
View Network Tunnel Group Details < Supported IPsec Parameters > Network Tunnel Configuration
Updated 2 months ago