Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
4
Replies

IPsec Site to Site and IPsec Remote access question

Go to solution
john.wright
Level 3
Level 3

‎04-19-2010 09:08 AM - edited ‎02-21-2020 04:36 PM

Our IPsec remote access is set to encrption 168-bit 3DES

If we want to allow a remote user to go out a tunnel to another site does the encryption for the Tunnel have to be 3DES as well?

Currently this tunnel is set to AES.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to john.wright

‎04-19-2010 10:33 AM

If I understand your question the answer is this:

The VPN client will connect to the ASA with whatever encryption method it chose.

If the VPN client then goes through a Site-to-Site tunnel to another location, it will then use the encryption method specified in the Site-to-Site tunnel.

This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies.

Hope I am answering your question, otherwise please let me know.

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-19-2010 09:26 AM

Hi,

If you have Site-to-Site tunnels you can choose the encryption protocol that you want on both sides (des, 3des, aes)

If you have remote-access VPN, the client can connect with any encryption protocol as well.

The catch is that the client will attempt to connect to the ISAKMP policies in sequential order until finding a match.

For example, if you have the following two policies configured on the headend:

crypto isakmp policy 5

authentication pre-shared

encryption 3des

group 1

hash md5

crypto isakmp policy 10

authentication pre-shared

encryption aes-256

group 2

hash sha

The VPN client will evaluate the policy 5 first, but will connect to policy 10 because the VPN client does not support group 1.

Federico.

0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to Federico Coto Fajardo

‎04-19-2010 10:23 AM

Federico

Thanks for the replay.

I don't think I was clear enough in my posted question.

Here are the policies we have set.

crypto isakmp enable Outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 55
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Here is the map for the tunnel.

crypto map Outside_map 50 set transform-set ESP-AES
crypto map Outside_map 50 set security-association lifetime seconds 28800
crypto map Outside_map 50 set security-association lifetime kilobytes 4608000
crypto map Outside_map 60 set security-association lifetime seconds 28800
crypto map Outside_map 60 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

If a vpn remote access user wants to go out this tunnel after having come in through that same outside interface as the tunnel, does the remote vpn user's encryption have to mach the encryption that the tunnel is using?

When I look at my vpn client statistics I see that the encryption is 3DES. And I cannot go out this tunnel. And I did create a hairpin statment for this.

When I look at my ASDM monitoring for this tunnel I see that the protocol encryption is reporting AES128. Every other tunnel is reporting 3des. And every IPsec remote user is reporting as 3DES.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to john.wright

‎04-19-2010 10:33 AM

If I understand your question the answer is this:

The VPN client will connect to the ASA with whatever encryption method it chose.

If the VPN client then goes through a Site-to-Site tunnel to another location, it will then use the encryption method specified in the Site-to-Site tunnel.

This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies.

Hope I am answering your question, otherwise please let me know.

Federico.

0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to Federico Coto Fajardo

‎04-19-2010 10:56 AM

Yes

You answered it with this comment:

"This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies."

Thanks

0 Helpful
Customers Also Viewed These Support Documents