Name: Cisco ISR 4000 series
Brand: Cisco
Rating: 5 (1 reviews)

To Next Page

To Previous Page

Cisco ISR 4000 Family Routers Administrator Guidance

Page 32 of 66

This configures IPsec to use pre-shared keys. X.509 v3 certificates are also

supported for authentication of IPsec peers. See Section 4.6.3 below for additional

information.

TOE-common-criteria(config-isakmp)# Crypto isakmp key cisco123!cisco123!CISC

address 11.1.1.4

Note: Pre-shared keys on the TOE must be at least 22 characters in length and can

be composed of any combination of upper and lower case letters, numbers, and

special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“,

and “)”).

The TOE supports pre-shared keys up to 127 characters in length. While longer

keys increase the difficulty of brute-force attacks, longer keys increase processing

time.

TOE-common-criteria (config-isakmp)# group 14

This selects DH Group 14 (2048-bit MODP) for IKE, but 19 (256-bit Random

ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15 (3072

bit MODP), and 16 (4096-bit MODP) are also allowed and supported.

TOE-common-criteria (config-isakmp)# crypto isakmp aggressive-mode disable

Main mode is the default mode and the crypto isakmp aggressive-mode disable

ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.

TOE-common-criteria(config-isakmp)#exit

4.6.1.2 IKEv2 Transform Sets

An Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the negotiation

of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded as complete

only when it has at least an encryption algorithm, an integrity algorithm, and a Diffie-Hellman

(DH) group configured. If no proposal is configured and attached to an IKEv2 policy, then the

default proposal is used in the negotiation, and it contains selections that are not valid for the TOE.

Thus the following settings must be set in configuring the IPsec with IKEv2 functionality for

the TOE:

TOE-common-criteria # conf t

TOE-common-criteria (config)#crypto ikev2 proposal sample

TOE-common-criteria (config-ikev2-proposal)# integrity sha

Note: md5 is not to be used in the evaluated configuration.

TOE-common-criteria (config-ikev2-proposal)# encryption aes-cbc-128

This configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AES-

CBC-256 can be selected with ‘encryption aes-cbc-256’. These are the only

allowed ciphers in the evaluated configuration, and the other, less secure ciphers,

are not to be used.

Questions and Answers:

Need help?

Do you have a question about the Cisco ISR 4000 series and is the answer not in the manual?

Cisco ISR 4000 series Specifications

General

Routing Performance	Up to 2 Gbps
Switching Capacity	Varies by model
Operating System	Cisco IOS XE
Dimensions	Varies by model
Weight	Varies by model
Series	ISR 4000
WAN Ports	Varies by model
LAN Ports	Varies by model
Redundancy	Yes
Type	Modular
Routing Throughput	Up to 2 Gbps
Memory	Up to 16 GB
Modular Slots	Varies by model
Power Supply	AC or DC options
Product Family	ISR (Integrated Services Router)
Models	ISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451-X
Storage	SSD options
Network Interfaces	Gigabit Ethernet, SFP
Security Features	Firewall, VPN
Virtualization Support	Yes
Modularity	Yes
Operating Temperature	0 to 40°C
Humidity	5% to 95% noncondensing