ISAKMP Policy – IPSEC Part 2
- In part 1 I laid out the general configuration that I will be disusing through this series of posts.
- In Part 2 I will be discussing ISAKMP polices.
ISAKMP Policy
crypto isakmp policy 10
hash md5
authentication pre-share
Internet Security Association and key management Protocol (that’s a mouth full). is used to set up the initial IPSec tunnel (IPsec phase 1). This will be used to negotiate then set up IPsec phase 2.
crypto isakmp policy 10 – This is defining the ISAKMP Policy for later use. you can have more than one policy defined ranging from the most secure to the least. the Policy 10 is defining the priority.
hash md5 – specifying to use the MD5 Hashing algorithm
authentication pre-share – specifying that we will use a pre-shared key for the initial authentication using RSA Keys are also a option. But for now we are going to stick with Pre-Shre keys
and we can use show crypto isakmp sa detail to see what is actually being used to create the security association (SA).
RouterA#sh crypto isakmp sa detail
Codes= C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 172.16.1.1 10.0.0.2 ACTIVE des md5 psk 1 23=58=25 D
Connection-id=Engine-id = 1=1(software)
so we can see we used
Hashing = MD5 Encryption = DES key exchange = DH group 1
These are very insecure crypto choices so lets crank up the security on this policy a bit.
first we are going to create a new policy and set it up as a higher priority than our existing one.
Crypto isakmp policy 9
Next lets use a much better hashing algorithm than MD5. The best the IOS I am using supports is SHA. if you can use a better hashing algorithm like SHA 512 do that instead.
hash sha
Next lets specify the encryption algorithm to use. AES 256 is a very strong algorithm and is the best we support so I am going with that.
encryption aes 256
Next lets change the DH group we are using group 1 only uses 768 bit keys and this is pretty weak these days. group 5 will give us 1536 bit keys. again if you support a higher group use that. (This seems to be the best breakdown I have found on these groups Cisco DH groups)
group 5
and last we are going to stick with Pre-shared keys.
authentication pre-share
Now we run clear crypto sa on both sides and reestablish the SA and check our results.
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 10.0.0.2 172.16.1.1 ACTIVE aes sha psk 5 23=59=50 D
Looks great everything is using the settings that we set up.
Other considerations.
Make sure to remove any polices that you will not be using. This will ensure that you will not fall back to insecure ciphers, ether unintentionally or from an attacker.
You will also want to check the utilization levels on the router. Using stronger crypto will take up much more resources than weaker choices. modern routers should not have to much trouble running strong crypto. But this is something to keep an eye out for.
There is also a lifetime setting for how often the SA will be reestablished default is 24 hours. I feel like this is reasonable but you can teak this is renegotiate more often.