ā03-03-2023 01:00 AM
I'm trying to find a command that will show encryption and hash strength / keysize for IKEv1.
For IKEv2 it's easy, showing 128b AES and 256b SHA:
rtr1#show crypto ikev2 sa
[...]
Encr: AES-GCM, keysize: 128, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK
But how to show it for IKEv1 connections? show crypto isakmp sa detail shows just the algorithms, but not the key size.
There is also show crypto engine connections active, but it is not available on our newer IOS XE routers.
Gathering it from debugging is not an option for us.
ā03-03-2023 03:02 AM
show crypto isakmp sa detail <<-
R2-IPSec#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 100.0.0.2 100.0.0.3 ACTIVE des sha psk 1 23:59:40
Engine-id:Conn-id = SW:1
ā03-03-2023 03:53 AM
Thanks for your reply. While DES really doesn't need to have the cipher strength displayed, it doesn't display it for AES either, please see my other reply.
ā03-03-2023 03:05 AM
It's all in the command that you just mentioned:
R1#sh cry isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1008 198.51.100.26 198.51.100.10 ACTIVE aes sha psk 14 23:58:56
Engine-id:Conn-id = SW:8
ā03-03-2023 03:50 AM
Thanks, I'm aware that in IOS, sha might mean sha-1 and aes might mean aes-128 in the configuration. But I don't think that's true in the output of this command.
On an Cisco 3945 router, when I run the show crypto engine connections active command, I get many connections with AES256. I get none with AES128 or just AES.
But when I run show crypto isakmp sa detail | i ACTIVE, all I see is "aes" without specified strength. I'm talking about hundreds to thousands of tunnels here. I don't know the configuration of the devices of our customers, but I know that they try to use at least 256 bits of strength when possible, so it's very unlikely all of the tunnels would be just aes 128. Another thing is that the output doesn't say CBC or GCM...
Do you have an example of crypto isakmp sa detail output actually showing the strength of the encryption?
ā03-03-2023 03:55 AM - edited ā03-03-2023 04:30 AM
The router show AES or AES-128 as by default AES-128 is AES (same)(AES-128 (as per RFC 3826))
why other AES-256/CBC/GCM not appear, simply answer your router and other peer accept AES(AES-128) and not accept other AES-256/CBC/GCM
ā03-03-2023 04:43 AM
this give you the encrypt config,
R2-IPSec#show crypto isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2-IPSec#
ā03-03-2023 05:18 AM
We have tens of isakmp policies configured, I don't know which one was chosen for any particular tunnel.
ā03-03-2023 06:37 AM
the policy can not show directly with show command,
you can see the policy select via debug and this also need re-connect the VPN tunnel.
but there is different between policy X policy Y
the different is the auth/encrypt/hash config under each policy.
ā03-03-2023 04:07 AM
I just looked at it and you are right. For some reason I remembered it to be displayed here same as with sh cry ipsec sa. At the moment I don't see any command to show the key length. If you only have one ISAKMP policy with 256 bits it would be easy. But if there need to be multiple policies for different peers there is a problem. I'll think about it ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide