Need to change DTLS-Tunnel from AES-128 to AES-256 for anyconnect

suresh.1275 · ‎12-17-2015

I see my DTLS-Tunnel value to AES-128 which i want to change to AES-256.

Karsten Iwen · ‎12-17-2015

You don't mention which ASA-version you are running, so I just assume it's a recent one:

ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA"

suresh.1275 · ‎12-17-2015

Hi karsten,

We are running on 5510 and firmware is 9.x version(latest one) so i want to modify encryption type for one of the VPN which has aes-128. So if i can find the policy associated then i can modify it to aes-256 i got crypto map and transform set but still unable to find the policy where encryption,hash values are defined. Please tell me how can i find it.

Karsten Iwen · ‎12-17-2015

Its a global setting and not controlled by a particular policy. For your legacy ASA you have to disable it for all kind of TLS. Your config could look like the following for that:

ssl server-version tlsv1-only
ssl encryption dhe-aes256-sha1 aes256-sha1

suresh.1275 · ‎12-18-2015

Karsten,

device config looks like below:

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
Outside interface: SSL_VPN_Cert

I think i need to disable cipher order, if so please tell me how can i do that.

Karsten Iwen · ‎12-19-2015

ssl server-version tlsv1-only
ssl encryption dhe-aes256-sha1 aes256-sha1

suresh.1275 · ‎12-21-2015

Thanks! Karsten. It indeed worked. Can i have more than one type of encryption for my ssl and ssl version as well ?

Karsten Iwen · ‎12-23-2015

You put all algorithms you want in that line. The more preferred ones at the beginning.