Configure IPsec Tunnel Parameters - cipher-suite

Information

You can change the encryption on the IPsec tunnel to the AES-256 cipher in CBC (cipher block chaining mode, with HMAC using either SHA-1 or SHA-2 keyed-hash message authentication or to null with HMAC using either SHA-1 or SHA-2 keyed-hash message authentication, to not encrypt the IPsec tunnel used for IKE key exchange traffic.

See https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge-20-x/security-book/config-sec-param.html for more information.

Solution

vEdge(config-interface-ipsecnumber)# ipsec
vEdge(config-ipsec)# cipher-suite (aes256-cbc-sha1 | aes256-gcm | null-sha1)

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-4

Plugin: Cisco_Viptela

Control ID: 1929a254ce737ed7f467e9532e26079c0f43d45048ee1fa9c8c1399558955675