Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IPsec Site to Site and IPsec Remote access question

Our IPsec remote access is set to encrption 168-bit 3DES

If we want to allow a remote user to go out a tunnel to another site does the encryption for the Tunnel have to be 3DES as well?

Currently this tunnel is set to AES.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: IPsec Site to Site and IPsec Remote access question

If I understand your question the answer is this:

The VPN client will connect to the ASA with whatever encryption method it chose.

If the VPN client then goes through a Site-to-Site tunnel to another location, it will then use the encryption method specified in the Site-to-Site tunnel.

This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies.

Hope I am answering your question, otherwise please let me know.

Federico.

4 REPLIES

Re: IPsec Site to Site and IPsec Remote access question

Hi,

If you have Site-to-Site tunnels you can choose the encryption protocol that you want on both sides (des, 3des, aes)

If you have remote-access VPN, the client can connect with any encryption protocol as well.

The catch is that the client will attempt to connect to the ISAKMP policies in sequential order until finding a match.

For example, if you have the following two policies configured on the headend:

crypto isakmp policy 5

authentication pre-shared

encryption 3des

group 1

hash md5

crypto isakmp policy 10

authentication pre-shared

encryption aes-256

group 2

hash sha

The VPN client will evaluate the policy 5 first, but will connect to policy 10 because the VPN client does not support group 1.

Federico.

New Member

Re: IPsec Site to Site and IPsec Remote access question

Federico

Thanks for the replay.

I don't think I was clear enough in my posted question.

Here are the policies we have set.

crypto isakmp enable Outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 55
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Here is the map for the tunnel.

crypto map Outside_map 50 set transform-set ESP-AES
crypto map Outside_map 50 set security-association lifetime seconds 28800
crypto map Outside_map 50 set security-association lifetime kilobytes 4608000
crypto map Outside_map 60 set security-association lifetime seconds 28800
crypto map Outside_map 60 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

If a vpn remote access user wants to go out this tunnel after having come in through that same outside interface as the tunnel, does the remote vpn user's encryption have to mach the encryption that the tunnel is using?

When I look at my vpn client statistics I see that the encryption is 3DES. And I cannot go out this tunnel. And I did create a hairpin statment for this.

When I look at my ASDM monitoring for this tunnel I see that the protocol encryption is reporting AES128. Every other tunnel is reporting 3des. And every IPsec remote user is reporting as 3DES.

Re: IPsec Site to Site and IPsec Remote access question

If I understand your question the answer is this:

The VPN client will connect to the ASA with whatever encryption method it chose.

If the VPN client then goes through a Site-to-Site tunnel to another location, it will then use the encryption method specified in the Site-to-Site tunnel.

This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies.

Hope I am answering your question, otherwise please let me know.

Federico.

New Member

Re: IPsec Site to Site and IPsec Remote access question

Yes

You answered it with this comment:

"This is because the parameters for the VPN client apply only when terminating the VPN on the ASA.

When the traffic from the client, goes through a different tunnel, the parameters for this tunnel applies."

Thanks

209
Views
0
Helpful
4
Replies
CreatePlease to create content