Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
0
Replies

The CBC availability of IKE Version 1 Phase-1 and Phase-2 on ISR-G2 Router

mhiyoshi
Level 3
Level 3

‎04-29-2015 11:47 PM - edited ‎03-05-2019 01:22 AM

Hello

I have been investigating IKE Version 1 CBC(Cipher Blocking Chaining) encryption availability.

At this mement. IKE Phase1 uses CBC encryption like AES-CBC, DES-CBC below by using debug crypto isakmp.

Apr 30 06:27:59.583: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Apr 30 06:27:59.583: ISAKMP:      encryption AES-CBC
Apr 30 06:27:59.583: ISAKMP:      keylength of 256

Apr 30 06:23:19.823: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Apr 30 06:23:19.823: ISAKMP:      encryption DES-CBC"

However if I use debug crypto ipsec, then it only show esp-aes or esp-des. So I think 

IKEv1 Phase 2 do not use CBC mode is that ture?

Apr 30 06:32:43.587: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.254, sa_proto= 50,
    sa_spi= 0x22DF775C(585070428),
    sa_trans= esp-aes esp-sha256-hmac , sa_conn_id= 9
    sa_lifetime(k/sec)= (4515208/3600)


Apr 30 06:34:53.647: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.0.0.254, sa_proto= 50,
    sa_spi= 0xED7B5044(3984281668),
    sa_trans= esp-des esp-sha256-hmac , sa_conn_id= 11

 

I appreciate if you can let me know any related information.

Best Regards,

Masanobu Hiyoshi

 

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card