Tip

This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.

IKE Proposal

IKE Proposals instruct TNSR how the key exchange will be encrypted and authenticated. TNSR supports a variety of encryption algorithms, integrity/authentication hash algorithms, pseudo-random functions (PRF), and Diffie-Hellman (DH) group specifications. These choices must be coordinated between both endpoints.

Tip

Some vendor IPsec implementations refer to IKE/ISAKMP as “Phase 1”, which may help when attempting to map values supplied by a peer to their corresponding values in TNSR.

From within config-ipsec-crypto-ike mode, use the proposal <name> command to start a new proposal and enter config-ike-proposal mode. In config-ike-proposal mode, the following commands are available:

encryption <ea-name>:

Configures the encryption algorithm to use for the proposal.

integrity <ia-name>:

Configures the integrity algorithm to use for the proposal.

prf <prf-name>:

Configures the pseudo-random function (PRF) to use for the proposal.

group <group-name>:

Configures the Diffie-Hellman group (DH Group) to use for the proposal.

Tip

To see a list of supported choices for each option, follow the initial command with a ?, such as encryption ?.

Each of these is described in more detail in the following sections.

Encryption Algorithms

TNSR supports many common, secure encryption algorithms. Some older and insecure algorithms are not supported.

Algorithms based on AES are common and secure, and are widely supported by other VPN implementations.

AES-GCM, or AES Galois/Counter Mode is an efficient and fast authenticated encryption algorithm, which means it provides data privacy as well as integrity validation, without the need for a separate integrity algorithm.

Additionally, AES-based algorithms can often be accelerated by AES-NI.

Warning

TNSR includes the Triple-DES (3DES) algorithm for compatibility with legacy systems, but it is not considered secure. Specifically, 3DES is considered broken by attacks such as Sweet32. Use stronger encryption algorithms where possible.

A full list of encryption algorithms supported by TNSR:

tnsr(config-ike-proposal)# encryption ?
  <cr>
  3des                  Triple-DES
  aes128                128 bit AES-CBC
  aes128ccm12           128 bit AES-CCM with 12 byte ICV
  aes128ccm16           128 bit AES-CCM with 16 byte ICV
  aes128ccm8            128 bit AES-CCM with 8 byte ICV
  aes128ctr             128 bit AES-Counter
  aes128gcm12           128 bit AES-GCM with 12 byte ICV
  aes128gcm16           128 bit AES-GCM with 16 byte ICV
  aes128gcm8            128 bit AES-GCM with 8 byte ICV
  aes192                192 bit AES-CBC
  aes192ccm12           192 bit AES-CCM with 12 byte ICV
  aes192ccm16           192 bit AES-CCM with 16 byte ICV
  aes192ccm8            192 bit AES-CCM with 8 byte ICV
  aes192ctr             192 bit AES-Counter
  aes192gcm12           192 bit AES-GCM with 12 byte ICV
  aes192gcm16           192 bit AES-GCM with 16 byte ICV
  aes192gcm8            192 bit AES-GCM with 8 byte ICV
  aes256                256 bit AES-CBC
  aes256ccm12           256 bit AES-CCM with 12 byte ICV
  aes256ccm16           256 bit AES-CCM with 16 byte ICV
  aes256ccm8            256 bit AES-CCM with 8 byte ICV
  aes256ctr             256 bit AES-Counter
  aes256gcm12           256 bit AES-GCM with 12 byte ICV
  aes256gcm16           256 bit AES-GCM with 16 byte ICV
  aes256gcm8            256 bit AES-GCM with 8 byte ICV
  camellia128           128 bit Camellia
  camellia128ccm12      128 bit Camellia-CCM with 12 byte ICV
  camellia128ccm16      128 bit Camellia-CCM with 16 byte ICV
  camellia128ccm8       128 bit Camellia-CCM with 8 byte ICV
  camellia128ctr        128 bit Camellia-Counter
  camellia192           192 bit Camellia
  camellia192ccm12      192 bit Camellia-CCM with 12 byte ICV
  camellia192ccm16      192 bit Camellia-CCM with 16 byte ICV
  camellia192ccm8       192 bit Camellia-CCM with 8 byte ICV
  camellia192ctr        192 bit Camellia-Counter
  camellia256           256 bit Camellia
  camellia256ccm12      256 bit Camellia-CCM with 12 byte ICV
  camellia256ccm16      256 bit Camellia-CCM with 16 byte ICV
  camellia256ccm8       256 bit Camellia-CCM with 8 byte ICV
  camellia256ctr        256 bit Camellia-Counter
  chacha20poly1305      256 bit ChaCha20/Poly1305 with 16 byte ICV

Integrity Algorithms

Integrity algorithms provide authentication of messages and randomness, ensuring that packets are authentic and were not altered by a third party before arriving, and also for constructing keying material for encryption.

Note

When using an authenticated encryption algorithm like AES-GCM with a child Security Association (SA) as opposed to IKE/ISAKMP, an integrity option should not be configured, as it is redundant and reduces performance.

When an authenticated encryption algorithm is used with IKE, configure a Pseudo-Random Function (PRF) instead of an Integrity Algorithm. If an integrity algorithm is defined in this case, TNSR will attempt to map the chosen algorithm to an equivalent PRF.

A full list of integrity algorithms supported by TNSR:

tnsr(config-ike-proposal)# integrity ?
  <cr>
  aescmac               AES-CMAC 96
  aesxcbc               AES-XCBC 96
  md5                   MD5 96
  sha1                  SHA1 96
  sha256                SHA2 256 bit blocks, 128 bits output
  sha384                SHA2 384 bit blocks, 192 bits output
  sha512                SHA2 512 bit blocks, 256 bits output

Pseudo-Random Functions

A Pseudo-Random Function (PRF) is similar to an integrity algorithm, but instead of being used to authenticate messages, it is only used to provide randomness for purposes such as keying material. PRFs are primarily used with an authenticated encryption algorithm type such as AES-GCM, but they can be explicitly defined for use with other integrity algorithms.

If a PRF is not explicitly defined, TNSR will attempt to derive the PRF to use based on the integrity algorithm for a given proposal.

Note

In the case of AES-NI, prfaesxcbc is likely the most appropriate choice as it can be accelerated by AES-NI, and it is more widely supported than its improved successor prfaescmac.

A full list of pseudo-random functions supported by TNSR:

tnsr(config-ike-proposal)# prf ?
  <cr>
  prfaescmac            AES128-CMAC PRF
  prfaesxcbc            AES128-XCBC PRF
  prfmd5                MD5 PRF
  prfsha1               SHA1 PRF
  prfsha256             SHA2-256 PRF
  prfsha384             SHA2-384 PRF
  prfsha512             SHA2-512 PRF

Diffie-Hellman Groups

Diffie-Hellman (DH) exchanges allow two parties to establish a shared secret across an untrusted connection. DH choices can be referenced in several different ways depending on vendor implementations. Some reference a DH group by number, others by size. When referencing by group number, generally speaking higher group numbers are more secure.

Tip

In most cases, modp2048 (Group 14) is the lowest choice considered to provide sufficient security in a modern computing environment.

A full list of DH Groups supported by TNSR:

tnsr(config-ike-proposal)# group ?
  <cr>
  curve25519            Group 31 (Elliptic Curve 25519, 256 bit)
  ecp256                Group 19 (256 bit ECP)
  ecp384                Group 20 (384 bit ECP)
  ecp521                Group 21 (521 bit ECP)
  modp1024              Group 2 (1024 bit modulus)
  modp1024s160          Group 22 (1024 bit modulus, 160 bit POS)
  modp1536              Group 5 (1536 bit modulus)
  modp2048              Group 14 (2048 bit modulus)
  modp2048s224          Group 23 (2048 bit modulus, 224 bit POS)
  modp2048s256          Group 24 (2048 bit modulus, 256 bit POS)
  modp3072              Group 15 (3072 bit modulus)
  modp4096              Group 16 (4096 bit modulus)
  modp6144              Group 17 (6144 bit modulus)
  modp768               Group 1 (768 bit modulus)
  modp8192              Group 18 (8192 bit modulus)

Warning

TNSR supports modp768 (Group 1) and modp1024 (Group 2) for compatibility purposes but they are considered broken by the Logjam Attack and should be avoided.

TNSR also supports modp1024s160 (Group 22), modp2048s224 (Group 23), and modp2048s256 (Group 24) for compatibility but they should also be avoided as they have a questionable source of primes.

IKE Proposal Example

This example configures one proposal. This proposal uses AES-128 encryption, SHA-1 for integrity hashing, and DH group 14 (2048 bit modulus).

tnsr(config-ipsec-crypto-ike)# proposal 1
tnsr(config-ike-proposal)# encryption aes128
tnsr(config-ike-proposal)# integrity sha1
tnsr(config-ike-proposal)# group modp2048
tnsr(config-ike-proposal)# exit