Three-key 3DES

Unanswered Question
Mar 19th, 2009

I am fairly new to the world of VPN tunnels, however, I just came three-key 3DES and was wondering the following:

Will a 2811 with or without an AIM module support this function as part of the phase 1 key exchange of an IPSec VPN Tunnel?

Even if it does support this function, is there a more suitable equipment that should be used (ie: ASA 5510)??

Thank you,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 03/19/2009 - 10:52


Depending on the code that you are running a 2811 should support 3DES for ISAKMP and IPSec. Note that it is more a question of feature set in IOS than it is of version of IOS. Having the AIM module is very helpful if you are going to do ISAKMP and IPSec on the router.

Whether an ASA5510 would be more suitable would depend on some things in your environment that we do not know. HOw many IPSec tunnels and how much traffic will they process? An ASA is certainly optimized for this and as the amount of VPN processing increases the benefit of the ASA increases. Do you need routing functionality there? The 2811 routes much better than the ASA. Do you need to run a dynamic routing protocol from this site to any where else? The 2811 with a GRE/IPSec tunnel can run a routing protocol where the ASA can not.




This Discussion