IKE using AES-128 and not AES-256? Is it using prefered option?

Unanswered Question
Feb 19th, 2008
User Badges:

I have just changed one of my site-to-site VPNs from 3DES/MD5 to AES-256/SHA and it's connected.


here is the config:


crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key ***** address 1.2.3.4

!

!

crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set T_Set

match address 101


On the Cisco Concentrator it shows the session connected as AES-128 (second option in list of proposals) and not


AES-256 (first and preferred option) for the IKE, can my Cisco 877 not handle it? Is the IKE the connection and the IPsec the data transfer?


This is what the Cisco Concentrator shows:


IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address 172.19.2.0/0.0.0.255

Local Address 0.0.0.0/255.255.255.255

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480



Thanks in advance for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Danilo Dy Tue, 02/26/2008 - 07:52
User Badges:
  • Blue, 1500 points or more

Hi,


Your IKE Session encryption is aes-128, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.


In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. i.e.


crypto isakmp policy 1

encr aes-256

authentication pre-share

group 2


Regards,

Dandy

Actions

This Discussion