Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN not using IKE AES-256 prefers AES-128 instead, why?

Hi, I have a site-to-site VPN using a Cisco 877 on a DSL line connect to our Cisco Concentrator. I have had it using 3DES/MD5 for the IKE proposal and IPsec session but want to move over to AES-256/SHA.

Anyway I changed it over and the tunnel came up however for the IKE session it uses AES-128/SHA1 and not AES-256/SHA1.

This is what the Cisco Concentrator shows:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address

Local Address

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480

What do you think? Why is it not using AES-256, AES-128 is in my IKE proposal list as activated and it's below AES-256, so it should use AES-256 first and if not try AES-128.

Thanks in advance for yout help


Re: Site-to-Site VPN not using IKE AES-256 prefers AES-128 inste

This seems to be a configuration problem. Check the following link for configuration example