Solved: Re: L2L IPSec ASA 5515 <-> ISR 2921 established but cannot ping LAN IPs

Anaximander · ‎10-14-2017

Hi All,

I have a Cisco ASA 5515-X in a datacenter that is configured and working well for 7 other VPNs (mostly L2L and one client VPN), and a remote office that has an ISR-2921 that has an established VPN IPsec tunnel to the ASA-5515-X but they can't ping IPs on each others respective LAN segments.

Cabled like this:

Datacenter (10.32.0.0/16) [Company-wide 10.0.0.0/8 is accessible] | 5515-X | ---------- ISP/WAN --------- | ISR-2921 | -----(Port-Channel)----- | Catalyst 2960-X Stack | Remote Office LAN (10.47.0.0/16)

Remote Office ISR-2921

USNYHUB-ISR01#sh run
Building configuration...


Current configuration : 4519 bytes
!
! Last configuration change at 02:40:24 UTC Sat Oct 14 2017 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname USNYHUB-ISR01
!
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M8.bin
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
!
!
! card type command needed for slot/vwic-slot 0/0
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network default local 
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name hub.us.dc.[companyname].com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
cts logging verbose
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn [omitted]
hw-module pvdm 0/0
!
hw-module sm 1
!
!
!
!
redundancy
!
!
!
!
!
! 
crypto isakmp key [omitted] address  [ASA 5515-X in Datacenter public IP]    255.255.255.224
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac 
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer [ASA 5515-X in Datacenter public IP]
 set transform-set ASA-IPSEC 
 match address 120
!
!
!
!
!
interface Port-channel1
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.1
 encapsulation dot1Q 1 native
 ip address 10.47.1.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.3
 description ** Server INT VLAN ** 
 encapsulation dot1Q 3
 ip address 10.47.3.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.65
 description ** Met VLAN **
 encapsulation dot1Q 65
 ip address 10.47.65.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.68
 description ** Information Technology VLAN ** 
 encapsulation dot1Q 68
 ip address 10.47.68.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Port-channel1.1000
 description ** Management VLAN **
 encapsulation dot1Q 1000
 ip address 10.47.0.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address [router public IP] 255.255.255.240
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 channel-group 1
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
 channel-group 1
!
interface ucse1/0
 no ip address
 shutdown
!
interface ucse1/1
 no ip address
!
interface Vlan1
 no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 [next hop for remote office router] 2
!
ip access-list standard ssh-access
[omitted]
!
!
route-map nonat permit 10
 match ip address 130
!
!
access-list 100 remark ** [Control NAT Service] **
access-list 100 permit ip 10.47.0.0 0.0.255.255 any
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo-reply
access-list 120 remark SDM_ACL Category=4
access-list 120 remark IPSec Rule
access-list 120 permit ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 130 deny   ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 130 permit ip 10.47.0.0 0.0.255.255 any
!
!
!
control-plane
!
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default

USNYHUB-ISR01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
[remote office public IP]       [datacenter 5515-X public IP]    QM_IDLE           1317 ACTIVE

USNYHUB-ISR01#sh crypto ipsec sa  

interface: GigabitEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr [remote office public IP]

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.32.0.0/255.248.0.0/0/0)
   current_peer [datacenter 5515-X public IP] port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 238, #pkts decrypt: 238, #pkts verify: 238
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

          local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP]
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xCB7BD220(3413889568)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xED8A2444(3985253444)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2297, flow_id: Onboard VPN:297, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4177751/1994)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCB7BD220(3413889568)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2298, flow_id: Onboard VPN:298, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4177783/1994)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.240.0.0/0/0)
   current_peer [datacenter 5515-X public IP] port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 99, #pkts decrypt: 99, #pkts verify: 99
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

          local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP]
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x390A651(59811409)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x506674B9(1348891833)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2301, flow_id: Onboard VPN:301, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4206780/3410)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x390A651(59811409)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2302, flow_id: Onboard VPN:302, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4206792/3410)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   current_peer [datacenter 5515-X public IP] port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

         local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP]
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.16.0.0/255.240.0.0/0/0)
   current_peer [datacenter 5515-X public IP] port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [remote office public IP], remote crypto endpt.: [datacenter ASA 5515-X public IP]
     plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x920C0D67(2450263399)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x406BF6B7(1080817335)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2305, flow_id: Onboard VPN:305, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4309021/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x920C0D67(2450263399)
        transform: esp-des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2306, flow_id: Onboard VPN:306, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4309021/3568)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Datacenter 5515-X:

USNJDC1-C0VPN01/pri/act# sh crypto isakmp 

IKEv1 SAs:

   Active SA: 5
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: [remote office public IP]
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

USNJDC1-C0VPN01/pri/act# sh crypto ipsec sa 
interface: VPN-FRONTED
    Crypto map tag: Remote-Site, seq num: 8, local addr: [datacenter 5515-X public IP]

      access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.0.0.0 255.240.0.0 10.47.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (ATVIEDC1/255.240.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
      current_peer: [remote office public IP]


      #pkts encaps: 1456, #pkts encrypt: 1456, #pkts digest: 1456
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1456, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP]
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 506674B9
      current inbound spi : 0390A651
              
    inbound esp sas:
      spi: 0x0390A651 (59811409)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4374000/638)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x506674B9 (1348891833)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4373891/638)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: Remote-Site, seq num: 8, local addr: [Datacenter ASA-5515X public IP]

      access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.16.0.0 255.240.0.0 10.47.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.16.0.0/255.240.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
      current_peer: [remote office public IP]


      #pkts encaps: 529, #pkts encrypt: 529, #pkts digest: 529
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 529, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP]
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 406BF6B7
      current inbound spi : 920C0D67

    inbound esp sas:
      spi: 0x920C0D67 (2450263399)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4374000/787)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x406BF6B7 (1080817335)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4373964/787)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: Remote-Site, seq num: 8, local addr: [datacenter 5515-X public IP]

      access-list VPN-FRONTED_cryptomap_2 extended permit ip 10.32.0.0 255.248.0.0 10.47.0.0 255.255.0.0 
      local ident (addr/mask/prot/port): (10.32.0.0/255.248.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.47.0.0/255.255.0.0/0/0)
      current_peer: [remote office public IP]


      #pkts encaps: 118, #pkts encrypt: 118, #pkts digest: 118
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 118, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: [datacenter ASA-5515-X public IP], remote crypto endpt.: [remote office public IP]
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: EDBBB168
      current inbound spi : 0B74566C

    inbound esp sas:
      spi: 0x0B74566C (192173676)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4374000/2809)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xEDBBB168 (3988500840)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 14102528, crypto-map: Remote-Site
         sa timing: remaining key lifetime (kB/sec): (4373990/2809)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

I noticed from the show crypto commands that the datacenter ASA 5515-X is encrypting and sending packets, and the ISR-2921 is recieving and decrypting them... but the ISR-2921 is not encrypting and sending packets to the ASA 5515-X. Do I need to add a static route to the ISR-2921 Gi0/0?

Thanks in advance for your time and any help you may be able to provide.

Georg Pauwen · ‎10-14-2017

Hello,

at first glance, it looks like you are missing the deny statement in your NAT access list for the IPSec traffic. Try and add the line below (in bold):

access-list 100 deny ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.47.0.0 0.0.255.255 any

View solution in original post

Georg Pauwen · ‎10-14-2017

Hello,

at first glance, it looks like you are missing the deny statement in your NAT access list for the IPSec traffic. Try and add the line below (in bold):

access-list 100 deny ip 10.47.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.47.0.0 0.0.255.255 any

Richard Burts · ‎10-14-2017

The output on both devices is quite clear that you have one way traffic through the VPN. One thing that causes this symptom is an issue with address translation. Here is the access list on the router to control address translation:

access-list 100 remark ** [Control NAT Service] **
access-list 100 permit ip 10.47.0.0 0.0.255.255 any

and this says that any traffic from 10.47.anything to anything should be translated. I believe that you should deny traffic going through the VPN and then permit everything else.

HTH

Rick

HTH

Rick

Anaximander · ‎10-18-2017

Hi Georg Pauwen and Richard Burts,

Thank you very much for your time and help. That worked! The tunnel is fully working now and I can ping/ssh/navigate to all of our internal resources as if I were on the network exactly as I expected!

One thing my superiors noticed/commented on was the the tunnel is using DES encryption instead of AES, they mentioned that DES is insecure. How do I change the tunnel to use AES (preferably by configuring the ISR-2921 side only).

Thanks again for your time, you were both very helpful!

Georg Pauwen · ‎10-18-2017

Hello,

the short answer is: if you want to change the encryption from DES to AES, you need to do it on both sides, otherwise the link won't be established.

Check the crypto policies on both sides and replace des with aes ('encryption aes' command)...

Anaximander · ‎10-20-2017

What I did was enter the command:

crypto ipsec transform-set ASA-IPSEC esp-aes 256 esp-sha-hmac

That affected the previous sh run output from:
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
mode tunnel
!

Changing it to the current config:
!
crypto ipsec transform-set ASA-IPSEC esp-aes 256 esp-sha-hmac
mode tunnel
!

Then reloaded the router. Now I believe we're more secure, I'd like it to be as secure as possible, ideally.

plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x918E325B(2442015323)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDECA8E91(3737816721)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2005, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4219313/2186)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x918E325B(2442015323)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2006, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4219345/2186)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

Richard Burts · ‎10-23-2017

I am glad that you have worked out the solution and that the VPN is now working as you expect. This output confirms that you are now using AES 256 and this does provide a better level of security that the DES that you were using before.

inbound esp sas:
spi: 0xDECA8E91(3737816721)
transform: esp-256-aes esp-sha-hmac ,

HTH

Rick

HTH

Rick