Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ISAKMP on Cisco 877 router

Hi, I have a Cisco 877 configured in VPN mode to connect to a Cisco Concentrator. The ISAKMP policy is AES-256/SHA and DH group 5.

Now first of all the 877 will only connect as a VPN if I set both the concentrator and 877 to DH Group 2 and when I look at the session info the ISAKMP is using AES-128/sha? Why not AES-256?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ISAKMP on Cisco 877 router

Hi,

Your IKE Session encryption is aes-128 and DH Group 2, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. and use DH Group 5. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 5

Regards,

Dandy

7 REPLIES
Blue

Re: ISAKMP on Cisco 877 router

can you post the configs for both boxes for us?

Thanks

Community Member

Re: ISAKMP on Cisco 877 router

Hi, the Cisco 877 is:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key ********* address 1.2.3.4

!

!

crypto ipsec transform-set T_Set esp-aes 256 esp-sha-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer 1.2.3.4

set transform-set T_Set

match address 101

I want to use DH 5 on the above though.

The Concentrator is webbased only (unless I'm wrong) but here is the configuration for the above:

Authentication = ESP/SHA/HMAC-160

Encryption = IKE-AES256-SHA

IKE Proposal = IKE-AES256-SHA

Blue

Re: ISAKMP on Cisco 877 router

Hi:

Im confused about one thing...

On the 877, you have DH group 2 configured, not 5. So why are you surprised that the connection comes up with a DH 2 sa?

Re: ISAKMP on Cisco 877 router

Hi,

Your IKE Session encryption is aes-128 and DH Group 2, IKE Policy configuration. While your IPSec Session encryption is AES-256, AES Transform Set configuration.

In your "crypto isakmp policy 1", "encr aes" means "encr aes-128". Use "encr aes-256" instead of "encr aes" only. and use DH Group 5. i.e.

crypto isakmp policy 1

encr aes-256

authentication pre-share

group 5

Regards,

Dandy

Community Member

Re: ISAKMP on Cisco 877 router

Dandy I will try this and let you know tomorrow, looks like I've been an idiot!

Blue

Re: ISAKMP on Cisco 877 router

You're not an idiot.

Good luck.

Victor

Community Member

Re: ISAKMP on Cisco 877 router

That fixed it!!

All my Cisco 877's and 1841 are using the new settings now. Only my 837's are not as they don't seem to be able to do aes.

Thanks

377
Views
5
Helpful
7
Replies
CreatePlease to create content