Suite-B, Next Generation Encryption (NGE) recomendations:
SHA-1 - is weak and bad
3DES - is weak and bad
AES-CBC - still ok but "low performance"
AES-GCM - ok and faster (than AES-CBC) on multi core routers like ASR, ISR4300/4400 (parallel processes)
I recommend this book
R4:
!
crypto ikev2 proposal default
encryption aes-gcm-256 //no integrity here (null)
prf sha256 //without PRF proposal is incomplete
group 19
!
crypto ikev2 keyring SD-KEY
peer R5
address 172.23.23.5
pre-shared-key local cisco123
pre-shared-key remote Cisco123
!
crypto ipsec transform-set default esp-gcm
mode tunnel
!
interface Tunnel99
ip address 10.10.99.4 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel destination 172.23.23.5
tunnel protection ipsec profile default
Same config on R5.
Verification:
R4#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 172.23.23.4/500 172.23.23.5/500 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/65786 sec
Phase 1 encryption is AES-GCM
But the most important thing is encryption in Phase 2.
But the most important thing is encryption in Phase 2.
R4#sh crypto ipsec sa interface tunnel 99
interface: Tunnel99
Crypto map tag: Tunnel99-head-0, local addr 172.23.23.4
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.23.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.23.23.5/255.255.255.255/47/0)
current_peer 172.23.23.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
R4#ping 10.10.99.5 source tunnel 99 repeat 103
Type escape sequence to abort.
Sending 103, 100-byte ICMP Echos to 10.10.99.5, timeout is 2 seconds:
Packet sent with a source address of 10.10.99.4
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (103/103), round-trip min/avg/max = 1/2/4 ms
R4#sh crypto ipsec sa interface tunnel 99
interface: Tunnel99
Crypto map tag: Tunnel99-head-0, local addr 172.23.23.4
protected vrf: (none)
local ident (addr/mask/prot/port): (172.23.23.4/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.23.23.5/255.255.255.255/47/0)
current_peer 172.23.23.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 103, #pkts encrypt: 103, #pkts digest: 103
#pkts decaps: 103, #pkts decrypt: 103, #pkts verify: 103
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.23.23.4, remote crypto endpt.: 172.23.23.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x72EFD7EA(1928321002)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7C6F96C7(2087687879)
transform: esp-gcm ,
in use settings ={Tunnel, }
conn id: 4573, flow_id: Onboard VPN:2573, sibling_flags 80000040, crypto map: Tunnel99-head-0
sa timing: remaining key lifetime (k/sec): (4206541/3530)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x72EFD7EA(1928321002)
transform: esp-gcm ,
in use settings ={Tunnel, }
conn id: 4574, flow_id: Onboard VPN:2574, sibling_flags 80000040, crypto map: Tunnel99-head-0
sa timing: remaining key lifetime (k/sec): (4206541/3530)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
R4#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
1471 IKEv2 GCM256 0 0 0 172.23.23.4
4573 IPsec GCM 0 103 103 172.23.23.4
4574 IPsec GCM 103 0 0 172.23.23.4