Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4727
Views
0
Helpful
2
Replies

IPSEC VPN using AES256 SHA256 not establishing 887VA

stuart.pannell
Level 3
Level 3

‎06-19-2015 02:14 AM - edited ‎02-21-2020 08:17 PM

Hi all, I have setup an IPSEC VPN between 2 routers in a lab environment as I wasn't able to get this to work in my live environment and I am seeing the same issues: -

1/ I setup 2 887VA routers with the following and this works: -

Router 1
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxx address 192.168.0.2
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto map aesmap 10 ipsec-isakmp
 set peer 192.168.0.2
 set transform-set aesset
 match address 120


access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 120 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255


ip route 0.0.0.0 0.0.0.0 Vlan1

interface Vlan1 ## point-to-point connection to router 2 ##
 ip address 192.168.0.1 255.255.255.252
 crypto map aesmap
end

interface Vlan2
 ip address 10.0.0.1 255.255.255.0
 no autostate
end

interface FastEthernet1
 mtu 1452
 no ip address
end

Router 2
crypto isakmp policy 10
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxx address 192.168.0.1
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto map aesmap 10 ipsec-isakmp
 set peer 192.168.0.1
 set transform-set aesset
 match address 120


access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 120 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255


ip route 0.0.0.0 0.0.0.0 Vlan1

interface Vlan1 ## point-to-point connection to router 1 ##
 ip address 192.168.0.2 255.255.255.252
 crypto map aesmap
end

interface Vlan2
 ip address 10.0.1.1 255.255.255.0
 no autostate
end

interface FastEthernet1
 mtu 1452
 no ip address
end

 

My issue is when I try to change the line "crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac" on both routers to be "crypto ipsec transform-set aesset esp-aes 256 esp-sha256-hmac"

Changing the transform-set to be stronger using sha256 appears to break the routers, they become slow to respond and the VPN fails to establish at stage2

Would I be right in thinking that the 887 routers are unable to support crypto ipsec transform-set aesset esp-aes 256 esp-sha256-hmac ?

My live environment was the same with a checkpoint firewall being one of the endpoints and the 887 being the remotes end

 

Labels:
0 Helpful
2 Replies 2

stuart.pannell
Level 3
Level 3

‎07-21-2015 08:43 AM

Just in case anyone else comes across this, it's an IOS bug and needs upgrading to 15.4(3)M or above

0 Helpful

Joey.Bautista1
Level 1
Level 1
In response to stuart.pannell

‎09-09-2015 05:31 PM

Yes, I have the same exact problem running;  esp-aes 256 esp-sha256-hmac , on the crypto IPsec transform-set.  Current IOS on 2911 router;  15.5(3)M

 I'll downgrade to 15.4(3)M and report back.

 

 

0 Helpful
Customers Also Viewed These Support Documents