Suite B configuration
NSA Suite B set of cryptographic algorithms that the National Security Agency is using as part of an effort to modernize its cryptography. Suite B supports interoperability for unclassified information and most classified information.
The vRouter supports the following Suite B configurations from RFC 6379:
- Suite-B-CGM-128
- Suite-B-CGM-256
This section shows how to configure Suite B cryptography for IPsec and includes an interoperability example with Cisco IOS.
Step | Command |
---|---|
Create the configuration node for proposal 1 of ESP group ESP-1W. |
|
Set the encryption cipher. |
|
Set the hash algorithm. |
|
Set the IKE version. |
|
Set the encryption cipher. |
|
Set the hash algorithm. |
|
Set the Diffie-Hellman group. |
|
View the configuration. |
|
Step | Command |
---|---|
Create the configuration node for proposal 1 of ESP group ESP-1W. |
|
Set the encryption cipher. |
|
Set the hash algorithm. |
|
Set the IKE version. |
|
Set the encryption cipher. |
|
Set the hash algorithm. |
|
Set the Diffie-Hellman group. |
|
View the configuration. |
|
Interoperability with Cisco IOS
The following sample configurations can be adapted as needed for interoperability with Cisco IOS. Note that the example values might not be suitable for all security policies, and that the security policy must be applied to the appropriate interface.
vRouter
set security vpn ipsec esp-group ESP-G1 lifetime '3600'
set security vpn ipsec esp-group ESP-G1 proposal 1 encryption 'aes128gcm128'
set security vpn ipsec esp-group ESP-G1 proposal 1 hash 'null'
set security vpn ipsec ike-group IKE-G1 ike-version '2'
set security vpn ipsec ike-group IKE-G1 lifetime '3600'
set security vpn ipsec ike-group IKE-G1 proposal 1 dh-group '19'
set security vpn ipsec ike-group IKE-G1 proposal 1 encryption 'aes128'
set security vpn ipsec ike-group IKE-G1 proposal 1 hash 'sha2_256'
set security vpn ipsec site-to-site peer 192.168.3.3 authentication mode 'pre-shared-secret'
set security vpn ipsec site-to-site peer 192.168.3.3 authentication pre-shared-secret 'password'
set security vpn ipsec site-to-site peer 192.168.3.3 default-esp-group 'ESP-G1'
set security vpn ipsec site-to-site peer 192.168.3.3 ike-group 'IKE-G1'
set security vpn ipsec site-to-site peer 192.168.3.3 local-address '192.168.2.1'
set security vpn ipsec site-to-site peer 192.168.3.3 tunnel 1 local prefix '192.168.1.1/24'
set security vpn ipsec site-to-site peer 192.168.3.3 tunnel 1 remote prefix '192.168.4.3/24'
Cisco IOS
crypto ikev2 proposal 1
encryption aes-cbc-128
integrity sha256
group 19
!
crypto ikev2 policy IKE-G1
match fvrf any
proposal 1
!
crypto ikev2 profile IKE-G1
match identity remote any
authentication remote pre-share key password
authentication local pre-share key password
lifetime 3600
!
crypto ipsec transform-set ESP-G1 esp-gcm
mode tunnel
!
crypto ipsec profile 192.168.2.1
set transform-set ESP-G1
set pfs group19
set ikev2-profile IKE-G1
!
crypto map vyatta 101 ipsec-isakmp
set peer 192.168.2.1
set transform-set ESP-G1
set pfs group19
set ikev2-profile IKE-G1
match address 101
!
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
!
interface GigabitEthernet2
ip address 192.168.3.3 255.255.255.0
crypto map vyatta