04-13-2021 01:22 PM
Hi
When I tried enable this 3des I got this Warning and I did see 3des in my transform-set
.
WARNING: 3DES configuration under crypto ikev1 policy encryption is insecure. Converted to AES. Please check release notes for details.
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
crypto ipsec ikev1 transform-set XXXXXX esp-aes esp-sha-hmac
XXXXX (config)# crypto ipsec ikev1 transform-set xxxxxx ?
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
mode mode transport
Someone got this error?
Cisco 5516-x
Cisco Adaptive Security Appliance Software Version 9.15(1)1
Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 8 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
VPN Load Balancing : Enabled perpetual
Thank you
Alex
Solved! Go to Solution.
04-13-2021 01:28 PM - edited 04-13-2021 01:47 PM
3DES is weak and insecure, and depreciated in 9.15.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html
The IKEv1 policy refers to the algorithms used to establish the IKE SA whereas the Transform Set refers to algorithms used to establish the IPSec SA.
You need to amend your IKEv1 policy to use AES encryption, you should also consider using a DH group other than 1,2, 5 or 24 as they are weak also. 2 and 24 have also been depreciated in 9.15.
You could also consider using IKEv2 which supports the latest and most secure algorithms, compared to IKEv1.
https://tools.cisco.com/security/center/resources/next_generation_cryptography
04-14-2021 02:21 AM
Yes, you will definately need to ensure the peer is reconfigured to use the newer algorithms.
HTH
04-14-2021 03:18 AM
Yes, those algorithms are acceptable. Just ensure the peer supports them, I'd be suprised if they didnt.
04-13-2021 01:28 PM - edited 04-13-2021 01:47 PM
3DES is weak and insecure, and depreciated in 9.15.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html
The IKEv1 policy refers to the algorithms used to establish the IKE SA whereas the Transform Set refers to algorithms used to establish the IPSec SA.
You need to amend your IKEv1 policy to use AES encryption, you should also consider using a DH group other than 1,2, 5 or 24 as they are weak also. 2 and 24 have also been depreciated in 9.15.
You could also consider using IKEv2 which supports the latest and most secure algorithms, compared to IKEv1.
https://tools.cisco.com/security/center/resources/next_generation_cryptography
04-14-2021 02:08 AM
Hi Rob
Thank you.
In my case we have clients in another PEER already configured (it's working), I'll replace the old hardware 5510 to the new 5516-x IOs 9.15
I need request the remote sites (clients) change the configuration as well?
Thank you.
Alex
04-14-2021 02:21 AM
Yes, you will definately need to ensure the peer is reconfigured to use the newer algorithms.
HTH
04-14-2021 02:51 AM
Thank you Rob
I updated in red
I think we be fine on it.
crypto ipsec ikev1 transform-set xxxxxxxx esp-3des esp-sha-hmac (before)
crypto ipsec ikev1 transform-set XXXXXX esp-aes-256 esp-sha-hmac (now)
before
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
now
crypto ikev1 enable outside2
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 28800
What do you think?
04-14-2021 03:18 AM
Yes, those algorithms are acceptable. Just ensure the peer supports them, I'd be suprised if they didnt.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: