Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
5
Helpful
7
Replies

ISAKMP on Cisco 877 router

Go to solution
whiteford
Level 1
Level 1

‎02-25-2008 01:37 PM - edited ‎03-03-2019 08:51 PM

Hi, I have a Cisco 877 configured in VPN mode to connect to a Cisco Concentrator. The ISAKMP policy is AES-256/SHA and DH group 5.

Now first of all the 877 will only connect as a VPN if I set both the concentrator and 877 to DH Group 2 and when I look at the session info the ISAKMP is using AES-128/sha? Why not AES-256?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to whiteford

‎02-26-2008 08:02 AM

Hi,

Your IKE Session encryption is aes-128 and DH Group 2, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. and use DH Group 5. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 5

Regards,

Dandy

View solution in original post

7 Replies 7

Go to solution
lamav
Level 8
Level 8

‎02-25-2008 01:56 PM

can you post the configs for both boxes for us?

Thanks

0 Helpful

Go to solution
whiteford
Level 1
Level 1
In response to lamav

‎02-26-2008 02:03 AM

Hi, the Cisco 877 is:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key ********* address 1.2.3.4

!

!

crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set T_Set

match address 101

I want to use DH 5 on the above though.

The Concentrator is webbased only (unless I'm wrong) but here is the configuration for the above:

Authentication = ESP/SHA/HMAC-160

Encryption = IKE-AES256-SHA

IKE Proposal = IKE-AES256-SHA

0 Helpful

Go to solution
lamav
Level 8
Level 8
In response to whiteford

‎02-26-2008 07:08 AM

Hi:

Im confused about one thing...

On the 877, you have DH group 2 configured, not 5. So why are you surprised that the connection comes up with a DH 2 sa?

0 Helpful

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni
In response to whiteford

‎02-26-2008 08:02 AM

Hi,

Your IKE Session encryption is aes-128 and DH Group 2, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. and use DH Group 5. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 5

Regards,

Dandy

Go to solution
whiteford
Level 1
Level 1
In response to Danilo Dy

‎02-26-2008 08:57 AM

Dandy I will try this and let you know tomorrow, looks like I've been an idiot!

0 Helpful

Go to solution
lamav
Level 8
Level 8
In response to whiteford

‎02-26-2008 09:11 AM

You're not an idiot.

Good luck.

Victor

0 Helpful

Go to solution
whiteford
Level 1
Level 1
In response to Danilo Dy

‎02-26-2008 01:43 PM

That fixed it!!

All my Cisco 877's and 1841 are using the new settings now. Only my 837's are not as they don't seem to be able to do aes.

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card