Руководство По Устранению Ошибки для Cisco Cisco ASA 5505 Adaptive Security Appliance
introduction of Galois Counter Mode (GCM).
Hardware: ASA that supports NGE.
Hardware: ASA that supports NGE.
Note: Only multi−core platforms support Advanced Encryption Standard (AES) GCM.
•
Software: ASA Software Release 9.0 or later that supports NGE.
•
OpenSSL.
•
For details, refer to Cisco Feature Navigator.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Dynamically Create IPSec Security Associations
The recommended IPSec interface on IOS is a Virtual Tunnel Interface (VTI), which creates a generic routing
encapsulation (GRE) interface that is protected by IPsec. For a VTI, the Traffic Selector (what traffic should
be protected by the IPSec security associations (SA)), consists of GRE traffic from the tunnel source to the
tunnel destination. Because the ASA does not implement GRE interfaces, but instead creates IPSec SAs based
on traffic defined in an access control list (ACL), we must enable a method that allows the router to respond
to the IKEv2 initiation with a mirror of the proposed traffic selectors. The use of Dynamic Virtual Tunnel
Interface (DVTI) on the FlexVPN router allows this device to respond to the presented Traffic Selector with a
mirror of the Traffic Selector that was presented.
encapsulation (GRE) interface that is protected by IPsec. For a VTI, the Traffic Selector (what traffic should
be protected by the IPSec security associations (SA)), consists of GRE traffic from the tunnel source to the
tunnel destination. Because the ASA does not implement GRE interfaces, but instead creates IPSec SAs based
on traffic defined in an access control list (ACL), we must enable a method that allows the router to respond
to the IKEv2 initiation with a mirror of the proposed traffic selectors. The use of Dynamic Virtual Tunnel
Interface (DVTI) on the FlexVPN router allows this device to respond to the presented Traffic Selector with a
mirror of the Traffic Selector that was presented.
This example encrypts traffic between both internal networks. When the ASA presents the traffic selectors of
the ASA internal network to the IOS internal network,
the ASA internal network to the IOS internal network,
192.168.1.0/24
to
172.16.10.0/24
, the
DVTI interface responds with a mirror of the traffic selectors, which is
172.16.10.0/24
to
192.168.1.0/24
.
Certificate Authority
Currently, IOS and ASA do not support a local Certificate Authority (CA) server with Elliptic Curve Digital
Signature Algorithm (ECDSA) certificates, which is required for Suite−B. So a third−party CA Server must
be implemented. For example, use OpenSSL to act as a CA.
Signature Algorithm (ECDSA) certificates, which is required for Suite−B. So a third−party CA Server must
be implemented. For example, use OpenSSL to act as a CA.
Configuration
Network Topology
This guide is based on the topology shown in this diagram. You should amend IP addresses to suit.