Stronger IPsec VPN Configurations Needed

Should you be using IPsec with IKEv2, SHA-2 and AES?

1 2 Page 2
Page 2 of 2

There is one factor that may limit your ability to configure the strongest possible encryption that money can buy. The International Traffic in Arms Regulations (ITAR) and the Arms Export Control Act (AECA) enforced by the Department of State govern the use of strong cryptography systems outside the U.S borders. This is because encryption technology falls in the realm of weapons and other things required to fight a war. You can find lists of countries where use of strong cryptography may be restricted.

Cisco provides a tool that helps you understand the export control laws and regulations as it relates to their security and encryption products. This document provides information on the export control of Cisco ASA 5500 firewalls and the U.S. Denied Party List (DPL). You should be aware of these regulations and follow these rules. However, I am pretty sure that the bad guys don't follow the rules.


When I think about the various options for configuring IPsec I am reminded of Snyder's Razor. Joel Snyder, Senior Partner at Opus One and frequent Network World writer says "All other things being equal, choose the more secure option." Therefore, if there isn't a big difference in performance between MD5 and SHA-1 or SHA-2 then you should chose the stronger option. If it is equally easy to configure a point-to-point VPN link with 3DES and AES-256, then you should chose the stronger option. If you can configure Diffie-Hellman group 2 or 5 or 14 equally simply then you should chose the stronger option. You now get the idea. You should review the encryption and authentication algorithms that you are using and you should run the strongest algorithms and key strengths possible for your secured communications.


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)