cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
784
Views
0
Helpful
2
Replies

Site to Site VPN using incorrect Crypto Map

lukedp
Level 1
Level 1

I am having difficulty with a site to site VPN using the wrong crypto map.

 

When i try to bring a site to site tunnel up with a 3des / sha1 tunnel the, tunnel tries to use aes / sha1. is there a bug in the 9.1 code that could be causing this issue. I all ready have another 3des / sha1 tunnel up and it works.

 

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 20.20.20.20
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 1 set nat-t-disable
crypto map outside-_map0 2 match address outside-stevensons_cryptomap_1
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer 11.11.11.11
crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside-_map0 2 set ikev2 ipsec-proposal Site 2
crypto map outside-_map0 2 set ikev2 pre-shared-key *****
crypto map outside-_map0 3 match address outside-stevensons_cryptomap_2
crypto map outside-_map0 3 set peer 119.252.89.106
crypto map outside-_map0 3 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside-_map0 3 set ikev2 ipsec-proposal Site 3
crypto map outside-_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-_map0 interface outside-stevensons

 

2 Replies 2

The "problem" is probably caused by a misunderstanding of IPsec. You show a config for the protected data (IPsec SAs) which is configured with 3DES and MD5/SHA1. But when you see AES, you are probably looking at the "management"-tunnel (IKE SA) which ist controlled by the "crypto ikev1 policy" commands. And there you are probably having policies with AES.

 

All in all, I wouldn't see a problem in that. You should even consider using AES with SHA1 if the other side supports that. 3DES and MD5 is legacy and outdated crypto and better algorithms are available. If you can use AES/SHA1, then use that.

 

HI Karsten, Thanks for clarifying, unfortunately other side does not support AES / SHA. I will look into my ike polices again.
Review Cisco Networking for a $25 gift card