cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
0
Helpful
4
Replies

Encryption supported between Cisco ASR1002-x and Juniper SRX

 Hi,

We are trying to establish site to site VPN with one of our partner network we were able to establish VPN connectivity by using only 3DES encryption method when we try to use AES-256 tunnel is not getting established. At our end we are using ASR1002-x at the partner end they are using Juniper SRX . 

Cisco no longer recommend to use 3DES when we try to use AES it is not working. Is there is any compatible issue between these devices to use AES or we can try with IKEv2 along with AES- CBC or GCM encryption methods and will it support between Cisco ASR and Juniper SRX.

 

Please suggest on this situation. If no other way then whether we need to go with 3DES only.

 

Thanks in Advance.

4 Replies 4

dhgoel
Cisco Employee
Cisco Employee

Hey Abushayeed,

 

Please find the relevant doc for IOS-XE NGE Product technote: NGE Support.

There should not be any problem with AES-256 as there are no compatibility issues on this matter.

Attach  isakmp and ipsec debugs if possible.

 

Thanks for the reply. As we had already established the tunnel we need some down time to perform the change and debug.

Is there any other criteria do we need to follow like DH group life time etc in crypto configuration.

Could you please let me know what are all the other details required for trouble shooting.

Is it working now with AES-256 or are you planning to take a downtime for the same?
Regarding DH group it has to be same on both the sides be it in Phase-1 or Phase2 .
Refer this doc for troubleshooting purpose:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html

Hi ,

Now it is working with 3DES. In order to test with AES-256 we need down time
Not working with AES-256:
------------------------
crypto ipsec transform-set <name> esp-aes 256 esp-sha256-hmac
mode tunnel

Not working with 3DES:
---------------------
crypto ipsec transform-set <name> esp-3des esp-sha256-hmac
mode tunnel

And we are using crypto map. And also do please let me know when to use Tunnel and When to use Transport mode.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: