Cisco Catalyst SD-WAN Solution Guide
Focus
Focus
Prisma Access

Cisco Catalyst SD-WAN Solution Guide

Table of Contents

Cisco Catalyst SD-WAN Solution Guide

The following sections describe how you secure a Cisco Catalyst SD-WAN with Prisma Access to provide next-generation security.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)

Supported IKE and IPSec Cryptographic Profiles

The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and Cisco Catalyst SD-WAN, formerly known as Viptela SD-WAN, devices. Use the recommended settings when you onboard a remote network and define IKE and IPSec cryptographic settings when connecting the Prisma Access and Cisco Catalyst SD-WAN device.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Crypto Profiles
Prisma Access
Cisco Catalyst SD-WAN
Tunnel Type
IPSec Tunnel
GRE Tunnel
Routing
Static Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE Versions
IKE v1
IKE v2
IPSec Phase 1 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
Group 15
Group 16
(Default)
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
(Default)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(4 Hours)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
Certificate
IKE Peer Identification
FQDN
IP Address
(Default)
User FQDN
IKE Peer
As Static Peer
As Dynamic Peer
Options
NAT Traversal
Passive Mode
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
Group 1
Group 2
(Default)
(Default)
Group 5
Group 14
Group 15
Group 16
(Default)
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 Auth
MD5
SHA1
(Default)
(Default)
SHA256
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
(Default)
NULL
IPSec Protocol
ESP
AH
IPSec Phase 2 Key Lifetime Default
1 Hour
1 Hour
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
NA
No Regional Hub/Gateway/Data Center
NA

Recommended For You