IP Multicast

Optional Commands

In addition to the advanced features discussed in the preceding section, you can optionally tweak many default parameters to optimize the site-to-site connections. This section discusses these parameters.

  • Perfect forward secrecy
  • Security Association Lifetimes
  • Phase 1 mode
  • Connection type
  • Inheritence
  • ISAKMP keepalives

Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is

crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

Example 15-22 shows you how to enable PFS group 5 for a peer with a sequence number 10.

Example 15-22. Configuring PFS Group 5 for a Peer

Chicago(config)# crypto map IPSec_map 10 set pfs group5

 

Security Association Lifetimes

If you do not specify the IPSec security association lifetimes, the Cisco ASA uses the default values of 28,800 seconds or 4,275,000 KB. The IPSec security association lifetimes can be set either globally or per crypto map instance. To configure it globally, the command syntax is

crypto ipsec security-association lifetime [{seconds 120-2147483647 kilobytes 10-

 2147483647}]

Lifetime in seconds can vary between 120 and 2,147,483,647, and lifetime can range from 10 to 2,147,483,647 KB.

If you only want to specify unique security association lifetime values per crypto map instance, the command syntax is

crypto map map-name seq-num set security-association lifetime [{seconds 120-

 2147483647 kilobytes 10-2147483647}]

 

Phase 1 Mode

ISAKMP implementation in the Cisco ASA uses main mode for Phase 1 negotiations, by default. If you want to change Phase 1 mode for a specific peer, use the following command syntax:

crypto map map-name seq-num set phase1-mode {main | aggressive [group1 | group2 |

 group5 | group7]}

If the remote VPN peer initiates a site-to-site tunnel using aggressive mode, then the ASA uses that for tunnel negotiations. Aggressive mode has some security weaknesses, so it is recommended to use main mode where possible. However, if you do not want to accept connections using aggressive mode, you can disable it globally, as shown in Example 15-23.

Example 15-23. Disabling Aggressive Mode

Chicago(config)# crypto isakmp am-disable

 

Connection Type

The Cisco ASA in the site-to-site tunnel can respond and initiate a VPN connection. This bidirectional default behavior can be changed to answer-only or originate-only mode. For example, if you want to limit the security Cisco ASA to just initiate IKE tunnels, you can set the connection type to originate-only. This way, if the remote VPN peer tries to initiate the connection, the local Cisco ASA will not honor the request. Similarly, if you want the security Cisco ASA to accept IKE tunnels only from the peer, then you can set the connection type to answer-only. The command syntax to set the connection type is

crypto map map-name seq-num set connection-type {answer-only | bidirectional |

 originate-only}

Note

If you need to specify multiple peers in your crypto map sequence number for redundancy, then you need to set your connection type to originate-only mode.

Example 15-24 shows that Chicago ASA's connection type is set up as originate-only for the peer 209.165.201.1.

Example 15-24. Configuring Connection Type to Originate-Only for a Peer

Chicago(config)# crypto map IPSec_map 10 set connection-type originate-only

 

Inheritance

Inheritance is a way to specify how the security Cisco ASA creates the Phase 2 IPSec SAs. You can either use ACL or data rules to configure inheritance. In ACL rule inheritance, the default behavior, all the hosts in a proxy identity can use the same IPSec SA given that the crypto ACL contains an IP network. However, in data rule inheritance, the security Cisco ASA creates one tunnel for every address pair within the address ranges specified in the encryption ACL. Thus, each host uses a separate tunnel, and consequently separate keys. While this selection is more secure, it requires additional processing overhead. Thus, it is recommended to use the data rules to achieve optimum performance.

Example 15-25 shows how to change behavior to data rule inheritance.

Example 15-25. Changing Inheritance from ACL to Data

Chicago(config)# crypto map IPSec_map 1 set inheritance data

 

ISAKMP Keepalives

The ISAKMP keepalives feature is a way to determine whether the remote VPN peer is still up and whether there are lingering SAs. The Cisco ASA starts sending Dead Peer Detection (DPD) packets once it stops receiving encrypted traffic over the tunnel from the peer. By default, if it does not hear from its peer for 10 seconds, it sends out a DPD R_U_THERE packet. It keeps sending the R_U_THERE packets every 2 seconds. If it does not receive R_U_THERE_ACK for the four consecutive DPDs, the security Cisco ASA deletes the corresponding ISAKMP and IPSec SAs.

The DPD messages are sent out once the IKE and IPSec SAs are negotiated and the Cisco ASA does not receive any traffic from the other side. If you are not interested in sending DPD messages for a specific peer, it can be disabled under the tunnel-group IPSec subconfiguration menu. Example 15-26 illustrates how to disable ISAKMP keepalives for peer 209.165.201.

Example 15-26. Disabling ISAKMP Keepalives

Chicago(config)# tunnel-group 209.165.201.1 ipsec-attributes

Chicago(config-ipsec)# isakmp keepalive disable

You can also tweak the keepalive parameters to suit your needs. Example 15-27 shows that if the Cisco ASA does not receive encrypted traffic for 30 seconds, it will send out the first DPD packet. It is also configured to send periodic DPDs every 5 seconds if it fails to get an ACK.

Example 15-27. Changing the Default ISAKMP Keepalive Timers

Chicago(config)# tunnel-group 209.165.201.1 ipsec-attributes

Chicago(config-ipsec)# isakmp keepalive threshold 30 retry 5






Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net