IKE using AES-128 and not AES-256? Is it using prefered option?

Unanswered Question
Feb 19th, 2008
User Badges:

I have just changed one of my site-to-site VPNs from 3DES/MD5 to AES-256/SHA and it's connected.

here is the config:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key ***** address



crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac


crypto map Crypto_Map 10 ipsec-isakmp

set peer

set transform-set T_Set

match address 101

On the Cisco Concentrator it shows the session connected as AES-128 (second option in list of proposals) and not

AES-256 (first and preferred option) for the IKE, can my Cisco 877 not handle it? Is the IKE the connection and the IPsec the data transfer?

This is what the Cisco Concentrator shows:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address

Local Address

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480

Thanks in advance for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Danilo Dy Tue, 02/26/2008 - 07:52
User Badges:
  • Blue, 1500 points or more


Your IKE Session encryption is aes-128, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 2




This Discussion