Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
6
Replies

Site2site showing IKE using DES

Go to solution
Diego Maciel Gomes
Level 1
Level 1

‎03-19-2013 05:27 PM

Hello all,

I have a doubt. When I go to Monitoring, VPN, and check for Site2Site, it shows me IKE using DES..

I want to use 3DES... what can I do for it???

Follow my config:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 3 match address outside_1_cryptomap

crypto map outside_map 3 set peer FWL_M

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

management-access inside

vpdn group Internet request dialout pppoe

vpdn group Internet localname user@user.com

vpdn group Internet ppp authentication pap

vpdn username user@user.com password ***

dhcpd auto_config outside

!

dhcpd address 192.168.90.10-192.168.90.40 inside

dhcpd dns 192.168.100.8 192.168.100.1 interface inside

dhcpd domain user.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 rc4-md5 aes256-sha1 des-sha1

webvpn

username frank password L0uOq1bmhJfENgddqrrvDFaoG encrypted privilege 15

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c218dadd6c07eb8af7070ae2db80d7e2

Follow attach too.

Thanks!!!

Diego

Labels:
Preview file
3 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-19-2013 10:24 PM 

crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2

You have crypto-isakmp policy with DES configured with lower priority/sequence number (10), and with 3DES - wit number 30. In order for policy with 3DES to take precedence you should set it with number lower then 10. Do this:

no crypto isakmp policy 30

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-19-2013 10:24 PM 

crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2

You have crypto-isakmp policy with DES configured with lower priority/sequence number (10), and with 3DES - wit number 30. In order for policy with 3DES to take precedence you should set it with number lower then 10. Do this:

no crypto isakmp policy 30

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Andrew Phirsov

‎03-20-2013 05:11 AM

Hi Andrew,

Thanks for help. I understand about the priority but the other peer of VPN is ASA too, and it has the same priority, so, I used the same way...

This ASA didnt have 3DES activated, so I activated it and created the priority basead on other ASA, the peer of VPN.

In that other ASA, I have another site2site with another peer and it works fine, with 3DES..

Anyway, I will try to change the priority.

I keep in touch!

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎03-19-2013 11:40 PM

Instead of changing the priorities I would investigate if the DES-policy is really needed. If not, then better delete that one. Also with a lower priority (which means higher number), the policy could be used if the peer prefers DES and is the IPSec responder.

In addition to that I always delete the ipsec-transforms that I don't want to use any more (everything with MD5 and DES).


Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1
In response to Karsten Iwen

‎03-20-2013 05:22 AM

Hey Karsten!!

Thanks for answer too!

I read that 3DES isnt secure anymore, because of it, I changed to AES128 to get for secure and dont loss performance...

I agree with delete DES..

Why do you thing about it???

And anything to comment about MD5 and SHA?

Regards!

Diego

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Diego Maciel Gomes

‎03-20-2013 05:39 AM

3DES is still considered quite secure. But it's a legacy algorithm so I try to avoid that. Same for MD5. SHA1 won't go away that soon as it's the most common hash that is available on all versions that you could connect to. The newer SHA-256 and higher are not yet so common in general.

My typical choices that are compatible with nearly every device are:

AES128, SHA-1, DH-Group5

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Diego Maciel Gomes
Level 1
Level 1

‎03-21-2013 05:32 AM

Well,

I did the test yesterday and it worked percetly! I changed the priority and OK.

Thanks Andrew, Thanks Karsten!

Diego

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents