basic
standard
compatible
basic offers DES with DH-group1 and SHA1 or MD5 authentication
NOTE: I never recommend the above for a VPN
standard offers slightly better and more proposals such as 3DES DH-group2 with sha1 or AES128 DHGRP2 and SHA1
NOTE: This is the minimum accept proposals that should be used IMHO
-
compatible offers a few more options
3DES with DH-group2 SHA1
3DES with DH-group2 MD5
DES DH-group2 SHA1
DES DH-group2 md5
You need to be aware that the difference proposal sets, and the availability within each when using ipsec-vpn
Ideally, you should craft your own proposal and define these for your ike and ipsec proposals
- set security ike proposal AES128-SHA128-DH5 authentication-method pre-shared-keys
set security ike proposal AES128-SHA128-DH5 dh-group group5
set security ike proposal AES128-SHA128-DH5 authentication-algorithm sha-128
set security ike proposal AES128-SHA128-DH5 encryption-algorithm aes-128-cbc
set security ike proposal AES128-SHA128-DH5 lifetime-seconds 28800
~
set security ike proposal AES192-SHA192-DH5 authentication-method pre-shared-keys
set security ike proposal AES192-SHA192-DH5 dh-group group5
set security ike proposal AES192-SHA192-DH5 authentication-algorithm sha-192
set security ike proposal AES192-SHA192-DH5 encryption-algorithm aes-192-cbc
set security ike proposal AES192-SHA192-DH5 lifetime-seconds 28800
and
set security ipsec proposal ESP-AES128-SHA256 protocol esp
set security ipsec proposal ESP-AES128-SHA256 authentication-algorithm hmac-SHA256-128
set security ipsec proposal ESP-AES128-SHA256 encryption-algorithm aes-128-cbc
set security ipsec proposal ESP-AES128-SHA256 lifetime-seconds 3600
~
set security ipsec proposal ESP-AES256-SHA192protocol esp
set security ipsec proposal ESP-AES256-SHA192 authentication-algorithm hmac-SHA256-192
set security ipsec proposal ESP-AES256-SHA192 encryption-algorithm aes-192-cbc
set security ipsec proposal ESP-AES256-SHA192 lifetime-seconds 3600
For DF-groups, you should strive for DH-group14 or higher & if the far-end peer supports it.
Try to avoid dh-group 1 and 2 . Even dh-group5 should not be used but that's the minimum accept group to avoid interoperability. Almost all security vpn devices supports dh-group5. For PFS, enable it when you can and if you need 100% security. PFS will ensure all new key-generation is not done from previous phase keys.
Even if some one knew your PSK for example, they could not break your encryption without brute-force and that would take million of years to do.
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( # # )=
@
/ \
so going all the way juniper, what are the cons and pros besides cost of using juniper gear to cisco gear? Obviously using comparable gear where applicable.
ReplyDeleteAny words of wisdom on this?
Buhofromepn,
ReplyDelete1st thanks for the reply.
Now does that question pertain to routers/switches/firewalls?
There's differences between the cisco and juniper in these areas, minor but differences do exist. Cost wise, the differences are minor and it boils down to what you need want.
A few differences that should be noted in a SRX vrs ASA
SRX & ASA
The cost per 1gbps of session bandwidth is about the same maybe slighly better in a SRX due to these platform typical are better on paper in numbers
The SRXs have a wan-model interface options capabilities on most branch models to the bigger chassis. Cisco has never competed in this area. You can get T1/E1, isdn, 3g, adsl within a model and in some case an add-on slot is available.
Cisco support contracts are always slightly higher, so if you have less say 100+ devices this could eat a big hole in your IT yearly budget.
Juniper JTAC has over the last 10 years been less faithful, so expect more hardware failure and more outages.
Cisco RMA is outstanding, effective, quick and easy to resolve, but cisco technical support has been lacking and following off since my interactions with TAC as late as the mid to late 90s
ASAos and Junos, the folks at juniper actually fix stuff in a new release. I personally think more QC is used in Juniper than cisco ASA and the release are longer between made available. You almost never seen a Junos relase pulled because of a oops.....
Features wise the UTM structure is much better in a SRX than a ASA, but if your looking at IPS, the ASA has a slight neck farther across the finish lines IMHO, but is an hardware module & limited. If you need IPS, get a dedicate IPS appliance.
Wireless lan controller integration, Juniper SRX = YES, the cisco ASA ....not on the map at this time. I don’t see that ( cisco ) happening in the future and if you need a full wirelss lan, you probably need a dedicated wireless controller imho.
But with regards to sslvpn, it’s a plus for cisco ASA and juniper SRX is not even on the map. You need yet another juniper appliance for SSLVPNs.
Integral dialbackup, the SRXs also stands ahead of cisco with a support 3/4G addon with some of the smaller branches
For routing features, hands down the juniper has been quite a few steps ahead of not only cisco, but everybody else as far as that. Heck cisco ASA just barely gotten t dynamic routing within a multicontext
Bottom line, cisco is a multiple box, numerous license, while the SRXes is not as many but still heavily license.
I will try to put together a SRX vrs ASA blog-thread b4 the year end. Since I get ask this exact same questions & just about every other month.