09-09-2015 10:23 AM
We have two Cisco 2951 routers, one at our main location and one at a branch location. An engineer from a local company came in and did all the setup work, including the VPN between the two of them.
For an upcoming review, the auditing firm wanted to know what kind of security/encryption was set up between the two routers. The engineer is no longer available, so I have been going over our configuration files for each of the routers, and am having issues figuring out what to tell them (I'll be the first to admit that some of this stuff is over my head).
I am attaching the portions of the configs with the "crypto" information that he set up. If you see anything wrong, or need anything additional, let me know.
Thanks in advance!
Solved! Go to Solution.
09-09-2015 01:08 PM
This is what you are using:
Phase1: 3DES, SHA1, PSK, DH Group2 (1024Bit), Lifetime 86400s
Phase2: 3DES, SHA1
That's nowadays considered legacy crypto but probably nothing to worry about. Still the crypto-config has to be considered that there is "room for improvement" ...
09-09-2015 01:08 PM
This is what you are using:
Phase1: 3DES, SHA1, PSK, DH Group2 (1024Bit), Lifetime 86400s
Phase2: 3DES, SHA1
That's nowadays considered legacy crypto but probably nothing to worry about. Still the crypto-config has to be considered that there is "room for improvement" ...
09-10-2015 05:44 AM
Thank you for the quick reply!
What is the next step up in encryption that we could take to not be considered "legacy"?
The only reason I ask is that regulators can really hit us on something like that in the future.
09-10-2015 05:57 AM
If you want to be at the top of encryption,then you should:
For a better manageability, you could migrate from crypto-maps to virtual tunnel-interfaces (VTIs).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide