I'm trying to find a command that will show encryption and hash strength / keysize for IKEv1.
For IKEv2 it's easy, showing 128b AES and 256b SHA:
rtr1#show crypto ikev2 sa
Encr: AES-GCM, keysize: 128, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK
But how to show it for IKEv1 connections? show crypto isakmp sa detail shows just the algorithms, but not the key size.
There is also show crypto engine connections active, but it is not available on our newer IOS XE routers.
Gathering it from debugging is not an option for us.
show crypto isakmp sa detail <<-
R2-IPSec#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 184.108.40.206 220.127.116.11 ACTIVE des sha psk 1 23:59:40
Engine-id:Conn-id = SW:1
It's all in the command that you just mentioned:
R1#sh cry isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal T - cTCP encapsulation, X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption IPv4 Crypto ISAKMP SA C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 1008 198.51.100.26 198.51.100.10 ACTIVE aes sha psk 14 23:58:56 Engine-id:Conn-id = SW:8
Thanks, I'm aware that in IOS, sha might mean sha-1 and aes might mean aes-128 in the configuration. But I don't think that's true in the output of this command.
On an Cisco 3945 router, when I run the show crypto engine connections active command, I get many connections with AES256. I get none with AES128 or just AES.
But when I run show crypto isakmp sa detail | i ACTIVE, all I see is "aes" without specified strength. I'm talking about hundreds to thousands of tunnels here. I don't know the configuration of the devices of our customers, but I know that they try to use at least 256 bits of strength when possible, so it's very unlikely all of the tunnels would be just aes 128. Another thing is that the output doesn't say CBC or GCM...
Do you have an example of crypto isakmp sa detail output actually showing the strength of the encryption?
The router show AES or AES-128 as by default AES-128 is AES (same)(AES-128 (as per RFC 3826))
why other AES-256/CBC/GCM not appear, simply answer your router and other peer accept AES(AES-128) and not accept other AES-256/CBC/GCM
this give you the encrypt config,
R2-IPSec#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
the policy can not show directly with show command,
you can see the policy select via debug and this also need re-connect the VPN tunnel.
but there is different between policy X policy Y
the different is the auth/encrypt/hash config under each policy.
I just looked at it and you are right. For some reason I remembered it to be displayed here same as with sh cry ipsec sa. At the moment I don't see any command to show the key length. If you only have one ISAKMP policy with 256 bits it would be easy. But if there need to be multiple policies for different peers there is a problem. I'll think about it ...