Sorry I should have posted it.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2 

!        

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2 

lifetime 28800

!        

crypto isakmp policy 25

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set vendor esp-3des esp-md5-hmac

crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac

crypto map vendors client authentication list userauthen

crypto map vendors isakmp authorization list groupauthor

crypto map vendors client configuration address respond

crypto map vendors 30 ipsec-isakmp

description connection to Sap OSS

set peer XXXXX

set security-association lifetime seconds 7200

set transform-set SAPoss

match address SAPOSS

p access-list extended SAPOSS

permit ip host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx

permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx

permit ip host xx.xxx.xx.xx host xxx.xxx.xxx.xxx

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2 
!        
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2 
lifetime 28800
!        
crypto isakmp policy 25
encr 3des
authentication pre-share
group 2 

crypto ipsec transform-set vendor esp-3des esp-md5-hmac
crypto ipsec transform-set SAPoss esp-3des esp-md5-hmac

crypto map vendors client authentication list userauthen
crypto map vendors isakmp authorization list groupauthor
crypto map vendors client configuration address respond
crypto map vendors 30 ipsec-isakmp
description connection to Sap OSS
set peer xxx.xx.xxx.xxx
set security-association lifetime seconds 7200
set transform-set SAPoss
match address SAPOSS

p access-list extended SAPOSS
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xxx
permit ip host xxx.xxx.xxx.xxx host xx.xxx.xx.xx
permit ip host xxx.xxx.xx.xx host xxx.xxx.xxx.xxx

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

Your auditor might be "seeing" the default crypto policy, which might be DES.

I.e.

#sh crypto isakmp pol

Global IKE policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 2

        encryption algorithm:   AES - Advanced Encryption Standard (256 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite

        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #1 (768 bit)

        lifetime:               86400 seconds, no volume limit

Yes there is a default, what are the commands to remove it? Thanks again

I tried no crypto isakmp default policy but it didn't work.  The version is

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

SAPoss uptime is 50 weeks, 2 days, 35 minutes
System returned to ROM by power-on
System restarted at 15:25:13 CDT Wed Nov 2 2011
System image file is "flash:c2800nm-advsecurityk9-mz.124-25b.bin"

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

I'm unaware of a method to negate the default policy, but what the default policy supports is an encrypted connection to use DES, that's not the same as having, or permitting, a session to use DES.  The latter is controlled by your session key and session source.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Javier great information!  I've rated it as a 5.

However, feature introduced in 12.4(20)T and original poster, in a later post, notes he is using 12.4(25b).  I.e. doesn't solve the issue for him unless he upgrades his IOS.

Hi Joseph,

Thanks for taking the time to rate my post!

At this point I think that most likely a newer platform must be purchased in order to run the latest 15.x code version.

Thanks.

Portu

At this point I think that most likely a newer platform must be purchased in order to run the latest 15.x code version.

Not really. ISR routers can run up to 15.1(4)M. The OP is running very old code.

And be aware of the fact that the default-policies in 12.4(20)T are different to the default-policy in previous versions. The defaults in the newer IOS are quite fine if you still feel comfortable with DH5 and DH2 (but 3DES and MD5 are also included, so it's really best to disable them).

Sent from Cisco Technical Support iPad App

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

(but 3DES and MD5 are also included, so it's really best to disable them).

I can see disabling "weak" default encryption polices to preclude "accidentally" using a "weak" encryption policy, but do you see any other reasons to be particularly concerned?

I can see disabling "weak" default encryption polices to preclude "accidentally" using a "weak" encryption policy, but do you see any other reasons to be particularly concerned?

The main problem I see is also the misconfiguration. But for a paranoid security-guy it shouldn't be ignored that a MitM-attacker could manipulate the phase-one packets and remove the strong algorithms. But that was more relevant in older IOS where DES was the default (and most of the times not relevant as the default was also RSA-SIG).

In any case, I think having a rule in logcheck available that looks for the relevant syslog entries (CRYPTO-6-IKMP_POLICY_DEFAULT and CRYPTO-6-IPSEC_USING_DEFAULT) is a good choice.

And for 3DES: well, it's just not state of the art any more:

http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni