Page 33 of 72
TOE-common-criteria(config-isakmp)# exit
TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address
11.1.1.4
Note: Pre-shared keys on the TOE must be at least 22 characters in length and
can be composed of any combination of upper and lower case letters, numbers,
and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”,
“(“, and “)”).
The TOE supports pre-shared keys up to 127 characters in length. While longer
keys increase the difficulty of brute-force attacks, longer keys increase processing
time.
TOE-common-criteria (config-isakmp)# group 14
This selects DH Group 14 (2048-bit MODP) for IKE, but 19 (256-bit Random
ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15
(3072 bit MODP), and 16 (4096-bit MODP) are also allowed and supported.
TOE-common-criteria (config-isakmp)# lifetime 86400
The default time value for Phase 1 SAs is 24 hours (86400 seconds), but this
setting can be changed using the command above with different values.
TOE-common-criteria (config-isakmp)# crypto isakmp aggressive-mode disable
Main mode is the default mode and the crypto isakmp aggressive-mode disable
ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.
TOE-common-criteria(config-isakmp)#exit
4.6.1.2 IKEv2 Transform Sets
An Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the
negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded
as complete only when it has at least an encryption algorithm, an integrity algorithm, and a
Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2
policy, then the default proposal is used in the negotiation, and it contains selections that are not
valid for the TOE. Thus the following settings must be set in configuring the IPsec with IKEv2
functionality for the TOE:
TOE-common-criteria # conf t
TOE-common-criteria (config)#crypto ikev2 proposal sample
TOE-common-criteria (config-ikev2-proposal)# integrity sha1
TOE-common-criteria (config-ikev2-proposal)# encryption aes-cbc-128
This configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AES-
CBC-256 can be selected with ‘encryption aes-cbc-256’. AES-GCM-128 and
AES-GCM-256 can also be selected similarly.
To Next Page
Loading...
Need help?
General
