03-19-2013 05:27 PM
Hello all,
I have a doubt. When I go to Monitoring, VPN, and check for Site2Site, it shows me IKE using DES..
I want to use 3DES... what can I do for it???
Follow my config:
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address outside_1_cryptomap
crypto map outside_map 3 set peer FWL_M
crypto map outside_map 3 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
management-access inside
vpdn group Internet request dialout pppoe
vpdn group Internet localname user@user.com
vpdn group Internet ppp authentication pap
vpdn username user@user.com password ***
dhcpd auto_config outside
!
dhcpd address 192.168.90.10-192.168.90.40 inside
dhcpd dns 192.168.100.8 192.168.100.1 interface inside
dhcpd domain user.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1 rc4-md5 aes256-sha1 des-sha1
webvpn
username frank password L0uOq1bmhJfENgddqrrvDFaoG encrypted privilege 15
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c218dadd6c07eb8af7070ae2db80d7e2
Follow attach too.
Thanks!!!
Diego
Solved! Go to Solution.
03-19-2013 10:24 PM
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
You have crypto-isakmp policy with DES configured with lower priority/sequence number (10), and with 3DES - wit number 30. In order for policy with 3DES to take precedence you should set it with number lower then 10. Do this:
no crypto isakmp policy 30
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
03-19-2013 10:24 PM
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
You have crypto-isakmp policy with DES configured with lower priority/sequence number (10), and with 3DES - wit number 30. In order for policy with 3DES to take precedence you should set it with number lower then 10. Do this:
no crypto isakmp policy 30
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
03-20-2013 05:11 AM
Hi Andrew,
Thanks for help. I understand about the priority but the other peer of VPN is ASA too, and it has the same priority, so, I used the same way...
This ASA didnt have 3DES activated, so I activated it and created the priority basead on other ASA, the peer of VPN.
In that other ASA, I have another site2site with another peer and it works fine, with 3DES..
Anyway, I will try to change the priority.
I keep in touch!
Thanks
03-19-2013 11:40 PM
Instead of changing the priorities I would investigate if the DES-policy is really needed. If not, then better delete that one. Also with a lower priority (which means higher number), the policy could be used if the peer prefers DES and is the IPSec responder.
In addition to that I always delete the ipsec-transforms that I don't want to use any more (everything with MD5 and DES).
Sent from Cisco Technical Support iPad App
03-20-2013 05:22 AM
Hey Karsten!!
Thanks for answer too!
I read that 3DES isnt secure anymore, because of it, I changed to AES128 to get for secure and dont loss performance...
I agree with delete DES..
Why do you thing about it???
And anything to comment about MD5 and SHA?
Regards!
Diego
03-20-2013 05:39 AM
3DES is still considered quite secure. But it's a legacy algorithm so I try to avoid that. Same for MD5. SHA1 won't go away that soon as it's the most common hash that is available on all versions that you could connect to. The newer SHA-256 and higher are not yet so common in general.
My typical choices that are compatible with nearly every device are:
AES128, SHA-1, DH-Group5
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
03-21-2013 05:32 AM
Well,
I did the test yesterday and it worked percetly! I changed the priority and OK.
Thanks Andrew, Thanks Karsten!
Diego
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: