Cisco Catalyst SD-WAN Solution Guide
Focus
Focus
Prisma Access

Cisco Catalyst SD-WAN Solution Guide

Table of Contents

Cisco Catalyst SD-WAN Solution Guide

The following sections describe how you secure a Cisco Catalyst SD-WAN with Prisma Access to provide next-generation security.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)

Supported IKE and IPSec Cryptographic Profiles

The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and Cisco Catalyst SD-WAN, formerly known as Viptela SD-WAN, devices. Use the recommended settings when you onboard a remote network and define IKE and IPSec cryptographic settings when connecting the Prisma Access and Cisco Catalyst SD-WAN device.
A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Crypto ProfilesPrisma AccessCisco Catalyst SD-WAN
Tunnel TypeIPSec Tunnel
GRE Tunnel
RoutingStatic Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE VersionsIKE v1
IKE v2
IPSec Phase 1 DH-GroupGroup 1
Group 2
(Default)
Group 5
Group 14
Group 15
Group 16
(Default)
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
(Default)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
(4 Hours)
IPSec Phase 1 Peer AuthenticationPre-Shared Key
Certificate
IKE Peer IdentificationFQDN
IP Address
(Default)
User FQDN
IKE PeerAs Static Peer
As Dynamic Peer
OptionsNAT Traversal
Passive Mode
Ability to Negotiate TunnelPer Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-GroupGroup 1
Group 2
(Default)
(Default)
Group 5
Group 14
Group 15
Group 16
(Default)
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 AuthMD5
SHA1
(Default)
(Default)
SHA256
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
(Default)
NULL
IPSec ProtocolESP
AH
IPSec Phase 2 Key Lifetime Default
1 Hour
1 Hour
Tunnel Monitoring FallbackDead Peer Detection (DPD)
ICMP
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture TypeWith Regional Hub/Gateway/Data CenterNA
No Regional Hub/Gateway/Data CenterNA