Configure Allowed Authentication Types

Information

By default, IPsec tunnel connections use a modified version of the Encapsulating Security Payload (ESP) protocol for authentication.

By default, IPsec tunnel connections use AES-GCM-256, which provides both encryption and authentication.

Configure each authentication type with a separate security ipsec authentication-type command. The command options map to the following authentication types, which are listed in order from most strong to least strong:

- ah-sha1-hmac: enables encryption and encapsulation using ESP. However, in addition to the integrity checks on the ESP header and payload, the checks also include the outer IP and UDP headers. Hence, this option supports an integrity check of the packet similar to the Authentication Header (AH) protocol. All integrity and encryption is performed using AES-256-GCM.
- ah-no-id: enables a mode that is similar to ah-sha1-hmac, however the ID field of the outer IP header is ignored. This option accommodates some non-Cisco SD-WAN devices, including the Apple AirPort Express NAT, that have a bug that causes the ID field in the IP header, a non-mutable field, to be modified. Configure the ah-no-id option in the list of authentication types to have the Cisco SD-WAN AH software ignore the ID field in the IP header so that the Cisco SD-WAN software can work in conjunction with these devices.
- sha1-hmac: enables ESP encryption and integrity checking.
- none maps: to no authentication. This option should only be used if it is required for temporary debugging. You can also choose this option in situations where data plane authentication and integrity are not a concern. Cisco does not recommend using this option for production networks.

See https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/vedge-20-x/security-book/config-sec-param.html for more information.

Solution

vEdge(config)# security ipsec authentication-type ah-sha1-hmac

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Cisco_Viptela

Control ID: f25a376eb9d2e7bbbb124bfb5cf8042486ebed0a29670fd30e5b93f3a405af9c