cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
434
Views
15
Helpful
5
Replies
Alex Ribas
Beginner

Cisco ASA 9.15 Message 3DES configuration under crypto ikev1 policy encryption is insecure VPN

Hi

When I tried enable this 3des I got this Warning and I did see 3des in my transform-set

.

WARNING: 3DES configuration under crypto ikev1 policy encryption is insecure. Converted to AES. Please check release notes for details.

 

crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800

 

 

crypto ipsec ikev1 transform-set XXXXXX   esp-aes esp-sha-hmac


XXXXX (config)# crypto ipsec ikev1 transform-set xxxxxx   ?

esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
mode mode transport

 

 

Someone got this error?

 

Cisco 5516-x


Cisco Adaptive Security Appliance Software Version 9.15(1)1

 

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 8 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
VPN Load Balancing : Enabled perpetual

 

Thank you

Alex

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Rob Ingram
VIP Mentor

@Alex Ribas 

3DES is weak and insecure, and depreciated in 9.15.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

 

The IKEv1 policy refers to the algorithms used to establish the IKE SA whereas the Transform Set refers to algorithms used to establish the IPSec SA.

 

You need to amend your IKEv1 policy to use AES encryption, you should also consider using a DH group other than 1,2, 5 or 24 as they are weak also. 2 and 24 have also been depreciated in 9.15.

 

You could also consider using IKEv2 which supports the latest and most secure algorithms, compared to IKEv1.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

View solution in original post

Rob Ingram
VIP Mentor

@Alex Ribas 

Yes, you will definately need to ensure the peer is reconfigured to use the newer algorithms.

 

HTH

View solution in original post

Rob Ingram
VIP Mentor

@Alex Ribas 

Yes, those algorithms are acceptable. Just ensure the peer supports them, I'd be suprised if they didnt.

View solution in original post

5 REPLIES 5
Rob Ingram
VIP Mentor

@Alex Ribas 

3DES is weak and insecure, and depreciated in 9.15.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

 

The IKEv1 policy refers to the algorithms used to establish the IKE SA whereas the Transform Set refers to algorithms used to establish the IPSec SA.

 

You need to amend your IKEv1 policy to use AES encryption, you should also consider using a DH group other than 1,2, 5 or 24 as they are weak also. 2 and 24 have also been depreciated in 9.15.

 

You could also consider using IKEv2 which supports the latest and most secure algorithms, compared to IKEv1.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

View solution in original post

Hi Rob

Thank you.

In my case we have clients in another PEER already configured (it's working), I'll replace the old hardware 5510 to the new 5516-x IOs 9.15

 

I need request the remote sites (clients) change the configuration as well?

 

Thank you.

Alex

 

 

 

 

Rob Ingram
VIP Mentor

@Alex Ribas 

Yes, you will definately need to ensure the peer is reconfigured to use the newer algorithms.

 

HTH

View solution in original post

Thank you Rob

 

I updated in red

 

I think we be fine on it.

 

crypto ipsec ikev1 transform-set xxxxxxxx esp-3des esp-sha-hmac    (before)

crypto ipsec ikev1 transform-set XXXXXX esp-aes-256 esp-sha-hmac (now)

 

before

crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800

 

now

crypto ikev1 enable outside2
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 28800

 

What do you think?

 

Rob Ingram
VIP Mentor

@Alex Ribas 

Yes, those algorithms are acceptable. Just ensure the peer supports them, I'd be suprised if they didnt.

View solution in original post

Content for Community-Ad