Skip to main content

[ScreenOS] What is a Crypto-policy?

Crypto-policy is a set of access lists that determines the proposals to be used, when configuring VPN phase1 and phase2.
The following types of administrators can configure a crypto-policy:
  • Root administrator.
  • Read-write admin user, without any role attribute assigned.
  • Read-write admin user with a cryptographic role.
The default crypto-policy that is set on the firewall is as follows:

isg2000-> get crypto-policy
crypto policies:
  • encryption alg supported: ALL
  • authentication alg supported: ALL
  • DH group supported: ALL
  • mode supported: ALL
  • authentication method supported: ALL
  • no limitation for P1 lifetime
  • no limitation for P2 lifetime
  • no limitation for P2 lifesize 
To configure the crypto-policy, you have to provide the context via the following command:

isg2000-> set crypto-policy
isg2000(crypto-policy)->

The description of all the parameters that can be configured is as follows:

Encryption ALG-The encryption algorithms that can be configured are as
follows:
isg2000(crypto-policy)-> set encrypt-alg ?

3des 3DES - Encrypt Alg a
aes128 AES(128bits) - Encrypt Alg a
aes192 AES(192bits) - Encrypt Alg a
aes256 AES(256bits) - Encrypt Alg d
des DES - Encrypt Alg

Authentication ALG-The authentication algorithms that can be configured are as follows:

isg2000(crypto-policy)-> set auth-alg ?

md5 HMAC-MD5 - Auth Alg s
sha-1 HMAC-SHA1 - Auth Alg s
sha2-256 HMAC-SHA2-256 - Auth Alg

DH Group-The DH groups that can be configured are as follows:

isg2000(crypto-policy)-> set dh ?  

group1 DH Group 1 g
group14 DH Group 14 g
group19 DH Group 19 g
group2 DH Group 2 g
group20 DH Group 20 g
group5 DH Group 5 n
no-pfs no-pfs (only for p2 sa)

Mode-The configuration to support the Main or Aggressive mode is as follows:

isg2000(crypto-policy)-> set mode ?
 
aggressive Aggressive Mode m
main Main Mode (ID protection)

Authentication mode-This is the configuration that decides whether the preshared key or certificate-based authentication is supported:

isg2000(crypto-policy)-> set auth-method ?
 
dsa-sig Authenticated by DSA Signature e
eap Authenticated by EAP(only in V2 ) e
ecdsa-sig Authenticated by ECDSA Signature p
preshare Authenticated by Preshared Key r
rsa-sig Authenticated by RSA Signature
 
Phase-1 Lifetime- This is to configure the upper-limit on the Phase-1 lifetime:
isg2000(crypto-policy)-> set p1-sa-lifetime upper-threshold ?
 
days Lifetime in (day) h
hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)

Phase-2 Lifetime- This is to configure the upper-limit on the Phase-2 lifetime:

isg2000(crypto-policy)-> set p2-sa-lifetime upper-threshold ?

days Lifetime in (day) h
hours Lifetime in (hour) m
minutes Lifetime in (min) s
seconds Lifetime in (sec)
  
Phase-2 Lifesize- This is to configure the upper-limit on the Phase-2 lifesize:

isg2000(crypto-policy)-> set p2-sa-lifesize upper-threshold 

<number> Lifesize



 
Labels:

Comments

Post a Comment

Popular posts from this blog

MTBF MTTR MTTD

Post a Comment
Read more

Cisco ASA on GNS3

My struggle for installing Cisco ASA on GNS3 lead me to write this procedure which is already floating around in various versions around the internet but this attempt was to write a concise and still informative  procedure to configure Cisco ASA successfully on GNS3. The relevant snapshots will be updated shortly  :-)
Post a Comment
Read more