How to see what transform set is in use

mickyq · ‎01-22-2013

A pen test has shown I have crackable transform set on my firewall. I can see the config this relates to and do have higher encryption available. What I dont want to do is remove it until I know my remote sites are not using it.

does any one know a command that shows all the policies/encrption in use?

Thanks

Jouni Forss · ‎01-22-2013

Hi,

Havent really had to do this before but first option that came to my mind was to use the following command

sh crypto ipsec sa | inc esp|current_peer

Or some similiar.

This was used on an ASA 8.2 software.

- Jouni

mickyq · ‎01-22-2013

Thanks JouniForss.

this does show me the encrytion but I also need to know what Dh group they are using. Ideally I need to know what crypto isakmp policy is being used.

I cant find a command that will show this

Rudy Sanjoko · ‎01-22-2013

you can use show crypto isakmp policy command to display the policies configured on the unit.

Jouni Forss · ‎01-22-2013

Hi,

To my understanding the isakmp policy on Cisco devices isnt attached to any particular VPN in anyway. They are just gone through in Priority order with the remote host/peer until a match is found. I think all the configured policys are contained in the messages that the peers send with eachother

Then again I have no idea how this is handled in devices manufactured by others. I gather there is option to configure this per connection in other devices?

Debugs would naturally tell you what Phase1 parameters are being used but might be a bit of hard to go through all VPNs depending ofcourse on your setup that we dont know.

- Jouni

mickyq · ‎01-22-2013

Thanks for the help guys.

I think using the suggested commands I can work out which policy is being used. They seem to be using the prefered policy so I can remove the one with DH group 1 and DES which is the offending item.

cheers

Mick