Cisco ASR 1000 Series Common Criteria Operational User Guidance And Preparative Procedures page 33
Aggregation services router
Hide thumbs
Also See for ASR 1000 Series:
- Software configuration manual (602 pages) ,
- Configuration manual (442 pages) ,
- Replacing (120 pages)
Table of Contents
Advertisement
TOE-common-criteria(config-isakmp)# exit
TOE-common-criteria(config)# Crypto isakmp key cisco123!cisco123!CISC address
11.1.1.4
Note: Pre-shared keys on the TOE must be at least 22 characters in length and
can be composed of any combination of upper and lower case letters, numbers,
and special characters (that include: "!", "@", "#", "$", "%", "^", "&", "*",
"(", and ")").
The TOE supports pre-shared keys up to 127 characters in length. While longer
keys increase the difficulty of brute-force attacks, longer keys increase processing
time.
TOE-common-criteria (config-isakmp)# group 14
This selects DH Group 14 (2048-bit MODP) for IKE, but 19 (256-bit Random
ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), 15
(3072 bit MODP), and 16 (4096-bit MODP) are also allowed and supported.
TOE-common-criteria (config-isakmp)# lifetime 86400
The default time value for Phase 1 SAs is 24 hours (86400 seconds), but this
setting can be changed using the command above with different values.
TOE-common-criteria (config-isakmp)# crypto isakmp aggressive-mode disable
Main mode is the default mode and the crypto isakmp aggressive-mode disable
ensures all IKEv1 Phase 1 exchanges will be handled in the default main mode.
TOE-common-criteria(config-isakmp)#exit
4.6.1.2
IKEv2 Transform Sets
An Internet Key Exchange version 2 (IKEv2) proposal is a set of transforms used in the
negotiation of IKEv2 SA as part of the IKE_SA_INIT exchange. An IKEv2 proposal is regarded
as complete only when it has at least an encryption algorithm, an integrity algorithm, and a
Diffie-Hellman (DH) group configured. If no proposal is configured and attached to an IKEv2
policy, then the default proposal is used in the negotiation, and it contains selections that are not
valid for the TOE. Thus the following settings must be set in configuring the IPsec with IKEv2
functionality for the TOE:
TOE-common-criteria # conf t
TOE-common-criteria (config)#crypto ikev2 proposal sample
TOE-common-criteria (config-ikev2-proposal)# integrity sha1
TOE-common-criteria (config-ikev2-proposal)# encryption aes-cbc-128
This configures IPsec IKEv2 to use AES-CBC-128 for payload encryption. AES-
CBC-256 can be selected with 'encryption aes-cbc-256'. AES-GCM-128 and
AES-GCM-256 can also be selected similarly.
Page 33 of 72
Hide quick links:
Advertisement
Table of Contents
Related Manuals for Cisco ASR 1000 Series
Related Products for Cisco ASR 1000 Series
- Cisco ASR1000-RP1 - ASR 1000 Series Route Processor 1 Router
- Cisco ASR1000-RP2 - ASR 1000 Series Route Processor 2 Router
- Cisco ASR-1000-SIP10
- Cisco ASR1002-5G-SEC/K9 - ASR 1002 VPN+FW Bundle Router
- Cisco ASR1002-5G-SHA/K9 - ASR 1002 Sec+HA Bundle Router
- Cisco ASR1004-10G-SHA/K9 - ASR 1004 Sec+HA Bundle Router
- Cisco ASR1004-20G-SEC/K9 - ASR 1004 VPN+FW Bundle Router
- Cisco ASR1006-10G-SEC/K9 - ASR 1006 VPN+FW Bundle Router
- Cisco ASR1006-10G-VPN/K9 - ASR 1006 VPN Bundle Router
- Cisco ASR1006-10G-SHA/K9 - ASR 1006 Sec+HA Bundle Router
- Cisco ASR1006-10G-HA/K9 - ASR 1006 HA Bundle Router
- Cisco ASR1004-10G/K9 - ASR 1004 Router
- Cisco ASR1006 - ASR 1006 Modular Expansion Base
- Cisco ASR 1002-F
- Cisco ASR 1002-RP1
- Cisco ASR 1002-RP2