Cisco Support Community
Community Member

3DES/MD5 or AES256/SHA for site-to-site VPN

Hi, I have a VPN from a Cisco 877 to a Cisco Concentrator. On the router I have moved over from 3DES/MD5 to AES256/SHA with the following on the router:

crypto isakmp policy 1

encr AES

hash SHA

authentication pre-share

group 2

crypto isakmp key *** address



crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac


crypto map Crypto_Map 10 ipsec-isakmp

set peer

set transform-set T_Set

match address 101

The thing is on the Concentrator it shows that the IKE session is AES128/SHA and not 256, however the IPSec is AES256/SHA.

Why is this?

Here is the Session info from the Concentrator:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address

Local Address

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 8832

Bytes Transmitted 8896

CreatePlease to create content