02-17-2008 01:25 PM - edited 03-03-2019 08:45 PM
Hi, sorry this is newish to me and a little unclear, so I hope you can help me understand rather than a link :)
I have a few VPN's connected to my Cisco Concentrator, these remote sites use Cisco 877's on DSL lines. They all use this config example (below) for it's VPN, but I believe moving from 3DES/MD5 to AES-256/SHA is better as it's more secure and sometimes quicker?
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key jgC:Gds&85h%1a address 1.2.3.4
!
!
crypto ipsec transform-set MY_T_Set esp-3des esp-md5-hmac
!
crypto map MY_Crypto_Map 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set MY_T_Set
match address 101
So the questions I have are:
1.) What parts of the above config do I need to change to make it more secure using the AES-256/SHA?
2.) Which part is the encryption and which part is the authentication? I take this is phase 1 and 2?
I'm trying to relate it to the concentrators settings as it uses 3 parts relating to the above config:
Authentication = ESP/MD5/HMAC-128
Encryption = 3DES-168
IKE Proposal = IKE-3DES-MD5
Thanks in advance for clearing this up for me.
02-17-2008 01:34 PM
Hi James
1) The following lines in your config need changing
crypto isakmp policy 1
encr aes 256
hash sha
crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac
2) Not really.
Phase 1 is concerned with setting up a secure channel between the 2 peers so they can communicate.
Phase 1 are your "crypto isakmp policy 1" settings.
Phase 2 is concerned with setting up 2 secure tunnels (IPSEC SA's) for actually transferring the data.
Your crypto map and crypto ipsec transform-set settings are for Phase 2.
AES is used for encryption.
SHA-HMAC is used for the authentication.
HTH
Jon
02-17-2008 01:55 PM
Thanks, so AES-256/sha is better than 3DES/MD5?
02-17-2008 01:57 PM
AES is a newer and more secure encryption algorithm than 3DES.
Of course not all devices currently support AES whereas 3DES is fairly common.
Jon
02-17-2008 01:37 PM
Your config:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key jgC:Gds&85h%1a address 1.2.3.4
!
!
crypto ipsec transform-set MY_T_Set esp-3des esp-md5-hma
Proposed config:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key jgC:Gds&85h%1a address 1.2.3.4
!
!
crypto ipsec transform-set MY_T_Set esp-aes 256 esp-sha-hmac
____________
More information at:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080194650.shtml
HTH,
__
Edison.
02-17-2008 02:05 PM
Thanks, yours looks different to Jon's he has:
crypto isakmp policy 1
encr aes 256
hash sha
You have
crypto isakmp policy 1
encr aes 256
Which is correct?
02-17-2008 02:39 PM
Both are correct, the default hash is SHA therefore a missing command automatically assumes you are using SHA
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_i1h.htm#wp1183054
HTH,
__
Edison.
02-17-2008 03:01 PM
Thanks, I need to change my configs on my routers then. Problem is they are all online, what is the best method to remotely change them to AES-256/sha?
While I make the change on the router will the VPN go down?
Or can I somehow create a 2nd crypto policy then delete the 3DES/MD5 one after?
And example would be great.
02-17-2008 04:12 PM
Hi,
1. Remotely acccess the router by not using VPN
2. Save and backup the current config
3. Schedule "reload". The timing depends on how long you can make the changes with a time to spare for testing. This is to make sure that if you screw up and not able to access the router, it will reload with the original config.
4. Remove the Crypto from the interface before applying the change
5. Apply the change
6. Apply the crypto to the interface
7. Test the VPN
8. Cancel the reload
9. save the configuration
Regards,
Dandy
02-17-2008 04:18 PM
I would like to start by commenting on something in the original post. It suggests that:
AES-256/SHA is better as it's more secure and sometimes quicker?
I would observe that AES is probably more secure. But since it is computationally more challenging it is likely to be slower rather than quicker.
If you take out the existing statements and then put in the new statements then the VPN will certainly go down. And that presents quite a challenge in making changes on the remote routers.
One approach to consider would be to configure the new isakmp policy for AES while the existing policy is still in place. Since the isakmp policies have a sequencing number (you used 1 - as many people do) it is easy to have both policies in the config at the same time. Then you can remove the policy for 3DES and leave the policy for AES. Assuming that everything in the new policy is correct on both sides this would change over quickly and with only a minimum disruption.
HTH
Rick
02-18-2008 05:52 AM
Is it better to use DH5 than DH2 when using AES-256/SHA as well? I am having similar requirements to this post.
02-18-2008 08:21 AM
Just FYI regarding performance of AES vs 3DES in a previous post below. It appears that AES is more efficient but I have not tested this myself...
02-18-2008 08:43 AM
Late last year I change my Firewall S2S and Remote VPN encryption from 3DES/MD5-HMAC to AES-256/SHA-HMAC and saw almost twice speed improvement.
My decision to change is after doing a thorough research for which combination is more secure and will be supported in the future. Although 3DES is unbreakable (unlike DES), MD5 and HSA1 is breakable. HSA2 has not been exploited but IPSec uses HSA1. HSA-HMAC addresses the problem of SHA1 alone.
During this research I read some documents that some implementation of AES is up to 6x faster than 3DES. I think this is because 3DES has to encrypt a single data 3x which can be a burden to the CPU.
Here is some of the links that explains the difference between AES and 3DES
http://www.networkworld.com/research/2001/0730feat2.html
Regards,
Dandy
02-18-2008 10:50 AM
Can a Cisco 837 do AES-256/SHA or am I asking too much, most of my remote sites have 877's accept a couple.
02-18-2008 07:01 PM
Hi,
837 supports IPSec AES in PLUS IMAGE http://www.cisco.com/en/US/products/hw/routers/ps380/prod_bulletin09186a008015d020.html
877 supports IPSec AES in ADVANCED IMAGE http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976_ps380_Products_Data_Sheet.html
Regards,
Dandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide