Site-to-Site VPN not using IKE AES-256 prefers AES-128 instead, why?

whiteford · ‎02-20-2008

Hi, I have a site-to-site VPN using a Cisco 877 on a DSL line connect to our Cisco Concentrator. I have had it using 3DES/MD5 for the IKE proposal and IPsec session but want to move over to AES-256/SHA.

Anyway I changed it over and the tunnel came up however for the IKE session it uses AES-128/SHA1 and not AES-256/SHA1.

This is what the Cisco Concentrator shows:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address 172.19.2.0/0.0.0.255

Local Address 0.0.0.0/255.255.255.255

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480

What do you think? Why is it not using AES-256, AES-128 is in my IKE proposal list as activated and it's below AES-256, so it should use AES-256 first and if not try AES-128.

Thanks in advance for yout help

tstanik · ‎02-26-2008

This seems to be a configuration problem. Check the following link for configuration example

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801f0f0c.shtml