I am having difficulty with a site to site VPN using the wrong crypto map.
When i try to bring a site to site tunnel up with a 3des / sha1 tunnel the, tunnel tries to use aes / sha1. is there a bug in the 9.1 code that could be causing this issue. I all ready have another 3des / sha1 tunnel up and it works.
crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map0 1 match address outside_cryptomap crypto map outside_map0 1 set pfs crypto map outside_map0 1 set peer 18.104.22.168 crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside_map0 1 set nat-t-disable crypto map outside-_map0 2 match address outside-stevensons_cryptomap_1 crypto map outside_map0 2 set pfs crypto map outside_map0 2 set peer 22.214.171.124 crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside-_map0 2 set ikev2 ipsec-proposal Site 2 crypto map outside-_map0 2 set ikev2 pre-shared-key ***** crypto map outside-_map0 3 match address outside-stevensons_cryptomap_2 crypto map outside-_map0 3 set peer 126.96.36.199 crypto map outside-_map0 3 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA crypto map outside-_map0 3 set ikev2 ipsec-proposal Site 3 crypto map outside-_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside-_map0 interface outside-stevensons
The "problem" is probably caused by a misunderstanding of IPsec. You show a config for the protected data (IPsec SAs) which is configured with 3DES and MD5/SHA1. But when you see AES, you are probably looking at the "management"-tunnel (IKE SA) which ist controlled by the "crypto ikev1 policy" commands. And there you are probably having policies with AES.
All in all, I wouldn't see a problem in that. You should even consider using AES with SHA1 if the other side supports that. 3DES and MD5 is legacy and outdated crypto and better algorithms are available. If you can use AES/SHA1, then use that.
When we said the word “hybrid” in the past, it usually recalled the image of a new variety of plant or maybe an electric car. These days, it applies to the workplace too.
The future of work isn’t “changing” to a h...
Thanks for attending our Ask the Experts (ATXs) session! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology q...
Cisco Secure Endpoint
New packages fit for every organization
Every Cisco Secure Endpoint (formerly AMP for Endpoints) package comes with Cisco SecureX built-in. It’s our cloud-native platform that integrates all your security solutions into one view wit...
Our Cisco experts and guests chat about how the integration of Cisco Secure Firewall + Secure Workload is securely accelerating application delivery by allowing NetOps to start running at DevOps speed, and what that means for business success.