cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

3des vers des tunnels

TRACY HARTMANN
Beginner
Beginner

I have a 3des crypto map and 3des transform set on a router.   We had an audit done that said we were running des on the router.  I am not seeing it, since I have only one tunnel.  Could I just block des on the ACL?  If so what port?

14 REPLIES 14

p.mcgowan
Participant
Participant

check that you are not still allowing a des connection on your crypto-map.

Can you post your config?

Sorry I should have posted it.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2 

!        

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2 

lifetime 28800

!        

crypto isakmp policy 25

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set vendor esp-3des esp-md5-hmac

crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac

crypto map vendors client authentication list userauthen

crypto map vendors isakmp authorization list groupauthor

crypto map vendors client configuration address respond

crypto map vendors 30 ipsec-isakmp

description connection to Sap OSS

set peer XXXXX

set security-association lifetime seconds 7200

set transform-set SAPoss

match address SAPOSS

p access-list extended SAPOSS

permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx

permit ip host xx.xxx.xx.xx host xxx.xxx.xxx.xxx

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2 
!        
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2 
lifetime 28800
!        
crypto isakmp policy 25
encr 3des
authentication pre-share
group 2 

crypto ipsec transform-set vendor esp-3des esp-md5-hmac
crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac

crypto map vendors client authentication list userauthen
crypto map vendors isakmp authorization list groupauthor
crypto map vendors client configuration address respond
crypto map vendors 30 ipsec-isakmp
description connection to Sap OSS
set peer xxx.xx.xxx.xxx
set security-association lifetime seconds 7200
set transform-set SAPoss
match address SAPOSS

p access-list extended SAPOSS
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xxx
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx
permit ip host xxx.xxx.xx.xx host xxx.xxx.xxx.xxx

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Your auditor might be "seeing" the default crypto policy, which might be DES.

I.e.

#sh crypto isakmp pol

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 2

        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Yes there is a default, what are the commands to remove it? Thanks again

I tried no crypto isakmp default policy but it didn't work.  The version is

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (f