Solved: Set AES for ISAKMP?

K-Grev · ‎11-12-2020

Hi,

Help me out. Im just scratching my head on this one even though I've been here before.

I'm STIG-ing an ASA.

Where on ASDM can I configure all ISAKMP policies to use AES for IKE encryption?

Or what command can I use to check that my configured set have the appropriate AES level?

Thanks

(referenced STIG Rule)

https://www.stigviewer.com/stig/ipsec_vpn_gateway/2018-11-27/finding/V-30952

Rob Ingram · ‎11-12-2020

Hi @K-Grev

I don't know where the location is on ASDM but use the command show vpn-sessiondb ratio encryption on the CLI, which will tell you the number of tunnels are using which algorithms. From the CLI you can check your ISAKMP/IKEv1 policies using the command show run crypto isakmp or show run crypto ikev1, if any policies are using DES/3DES amend accordingly. Provide the output for review if you need further help.

HTH

View solution in original post

Rob Ingram · ‎11-12-2020

Hi @K-Grev

I don't know where the location is on ASDM but use the command show vpn-sessiondb ratio encryption on the CLI, which will tell you the number of tunnels are using which algorithms. From the CLI you can check your ISAKMP/IKEv1 policies using the command show run crypto isakmp or show run crypto ikev1, if any policies are using DES/3DES amend accordingly. Provide the output for review if you need further help.

HTH

K-Grev · ‎11-12-2020

Thanks Rob, that helped a lot.

Also on ASDM i found that Config>site-to-site VPN> Advanced > IKE Policies helped.