Re: IKE using AES-128 and not AES-256? Is it using prefered opti

jamesgonzo · ‎02-19-2008

I have just changed one of my site-to-site VPNs from 3DES/MD5 to AES-256/SHA and it's connected.

here is the config:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key ***** address 1.2.3.4

!

crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set T_Set

match address 101

On the Cisco Concentrator it shows the session connected as AES-128 (second option in list of proposals) and not

AES-256 (first and preferred option) for the IKE, can my Cisco 877 not handle it? Is the IKE the connection and the IPsec the data transfer?

This is what the Cisco Concentrator shows:

IKE Session

Session ID 1

Encryption Algorithm AES-128

Hashing Algorithm SHA-1

Diffie-Hellman Group Group 2 (1024-bit)

Authentication Mode Pre-Shared Keys

IKE Negotiation Mode Main

Rekey Time Interval 86400 seconds

IPSec Session

Session ID 2

Remote Address 172.19.2.0/0.0.0.255

Local Address 0.0.0.0/255.255.255.255

Encryption Algorithm AES-256

Hashing Algorithm SHA-1

Encapsulation Mode Tunnel

Rekey Time Interval 3600 seconds

Rekey Data Interval 4608000 KBytes

Bytes Received 148368

Bytes Transmitted 152480

Thanks in advance for your help

owillins · ‎02-26-2008

Please go through this Cisco IOS VPN Configuration Examples and TechNotes for your configuration

http://www.cisco.com/en/US/products/ps9403/prod_configuration_examples_list.html

Danilo Dy · ‎02-26-2008

Hi,

Your IKE Session encryption is aes-128, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 2

Regards,

Dandy

IKE using AES-128 and not AES-256? Is it using prefered option?