02-19-2008 07:42 AM - edited 03-03-2019 08:46 PM
I have just changed one of my site-to-site VPNs from 3DES/MD5 to AES-256/SHA and it's connected.
here is the config:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ***** address 1.2.3.4
!
!
crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac
!
crypto map Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set T_Set
match address 101
On the Cisco Concentrator it shows the session connected as AES-128 (second option in list of proposals) and not
AES-256 (first and preferred option) for the IKE, can my Cisco 877 not handle it? Is the IKE the connection and the IPsec the data transfer?
This is what the Cisco Concentrator shows:
IKE Session
Session ID 1
Encryption Algorithm AES-128
Hashing Algorithm SHA-1
Diffie-Hellman Group Group 2 (1024-bit)
Authentication Mode Pre-Shared Keys
IKE Negotiation Mode Main
Rekey Time Interval 86400 seconds
IPSec Session
Session ID 2
Remote Address 172.19.2.0/0.0.0.255
Local Address 0.0.0.0/255.255.255.255
Encryption Algorithm AES-256
Hashing Algorithm SHA-1
Encapsulation Mode Tunnel
Rekey Time Interval 3600 seconds
Rekey Data Interval 4608000 KBytes
Bytes Received 148368
Bytes Transmitted 152480
Thanks in advance for your help
02-26-2008 07:13 AM
Please go through this Cisco IOS VPN Configuration Examples and TechNotes for your configuration
http://www.cisco.com/en/US/products/ps9403/prod_configuration_examples_list.html
02-26-2008 07:52 AM
Hi,
Your IKE Session encryption is aes-128, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.
In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. i.e.
crypto isakmp policy 1
encr aes-256
authentication pre-share
group 2
Regards,
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide