Cisco ASR 1004 - Page 33

72 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Page 33 of 72

TOE-common-criteria(config-isakmp)# exit

TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address

11.1.1.4

Note: Pre-shared keys on the TOE must be at least 22 characters in length and

can be composed of any combination of upper and lower case letters, numbers,

and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”,

“(“, and “)”).

The TOE supports pre-shared keys up to 127 characters in length. While longer

keys increase the difficulty of brute-force attacks, longer keys increase processing

time.

TOE-common-criteria (config-isakmp)# group 14

This selects DH Group 14 (2048-bit MODP) for IKE, but 19 (256-bit Random

ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15

(3072 bit MODP), and 16 (4096-bit MODP) are also allowed and supported.

TOE-common-criteria (config-isakmp)# lifetime 86400

The default time value for Phase 1 SAs is 24 hours (86400 seconds), but this

setting can be changed using the command above with different values.

TOE-common-criteria (config-isakmp)# crypto isakmp aggressive-mode disable

Main mode is the default mode and the crypto isakmp aggressive-mode disable

ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.

TOE-common-criteria(config-isakmp)#exit

4.6.1.2 IKEv2 Transform Sets

An Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the

negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded

as complete only when it has at least an encryption algorithm, an integrity algorithm, and a

Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2

policy, then the default proposal is used in the negotiation, and it contains selections that are not

valid for the TOE. Thus the following settings must be set in configuring the IPsec with IKEv2

functionality for the TOE:

TOE-common-criteria # conf t

TOE-common-criteria (config)#crypto ikev2 proposal sample

TOE-common-criteria (config-ikev2-proposal)# integrity sha1

TOE-common-criteria (config-ikev2-proposal)# encryption aes-cbc-128

This configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AES-

CBC-256 can be selected with ‘encryption aes-cbc-256’. AES-GCM-128 and

AES-GCM-256 can also be selected similarly.

Table of Contents

Other manuals for Cisco ASR 1004

Hardware Installation Guide702 pages

Replacing120 pages

Quick Start Guide38 pages

Install Guide32 pages

Overview And Installation38 pages

Related product manuals

Preview: Cisco ASR 1002

Preview: Cisco ASR 1006

Preview: Cisco ASR 1000

Preview: Cisco ASR 1001-X

Cisco ASR 1001-X

Preview: Cisco ASR 1002-X

Cisco ASR 1002-X

Preview: Cisco ASR 1001-HX

Cisco ASR 1001-HX

Preview: Cisco ASR 1002-HX

Cisco ASR 1002-HX

Preview: Cisco ASR 1000 Series

Cisco ASR 1000 Series

Preview: Cisco ASR1002 - ASR 1002 Router

Cisco ASR1002 - ASR 1002 Router

Preview: ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router

ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router