Site-to-Site VPN not using IKE AES-256 prefers AES-128 instead, why?

Unanswered Question
Feb 20th, 2008
User Badges:

Hi, I have a site-to-site VPN using a Cisco 877 on a DSL line connect to our Cisco Concentrator. I have had it using 3DES/MD5 for the IKE proposal and IPsec session but want to move over to AES-256/SHA.

Anyway I changed it over and the tunnel came up however for the IKE session it uses AES-128/SHA1 and not AES-256/SHA1.

This is what the Cisco Concentrator shows:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address

Local Address

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480

What do you think? Why is it not using AES-256, AES-128 is in my IKE proposal list as activated and it's below AES-256, so it should use AES-256 first and if not try AES-128.

Thanks in advance for yout help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion