Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1931
Views
3
Helpful
9
Replies

Show encryption strength for IKEv1

vojtech.jaros
Level 1
Level 1

‎03-03-2023 01:00 AM

I'm trying to find a command that will show encryption and hash strength / keysize for IKEv1.

For IKEv2 it's easy, showing 128b AES and 256b SHA:

rtr1#show crypto ikev2 sa
[...]
Encr: AES-GCM, keysize: 128, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK 

But how to show it for IKEv1 connections? show crypto isakmp sa detail shows just the algorithms, but not the key size.

There is also show crypto engine connections active, but it is not available on our newer IOS XE routers.

Gathering it from debugging is not an option for us.

Labels:
0 Helpful
9 Replies 9

MHM Cisco World
VIP
VIP

‎03-03-2023 03:02 AM

show crypto isakmp sa detail <<-

 

 

R2-IPSec#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 100.0.0.2 100.0.0.3 ACTIVE des sha psk 1 23:59:40
Engine-id:Conn-id = SW:1

0 Helpful

vojtech.jaros
Level 1
Level 1
In response to MHM Cisco World

‎03-03-2023 03:53 AM

Thanks for your reply. While DES really doesn't need to have the cipher strength displayed, it doesn't display it for AES either, please see my other reply.

0 Helpful

Karsten Iwen
VIP
VIP

‎03-03-2023 03:05 AM

It's all in the command that you just mentioned:

R1#sh cry isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1008  198.51.100.26   198.51.100.10          ACTIVE aes  sha    psk  14 23:58:56
       Engine-id:Conn-id =  SW:8
  • encryption is AES 128 because no added key is always the default length of 128 bit
  • Hash SHA is SHA1
  • DH14 is 2048 bit

vojtech.jaros
Level 1
Level 1
In response to Karsten Iwen

‎03-03-2023 03:50 AM

Thanks, I'm aware that in IOS, sha might mean sha-1 and aes might mean aes-128 in the configuration. But I don't think that's true in the output of this command.

On an Cisco 3945 router, when I run the show crypto engine connections active command, I get many connections with AES256. I get none with AES128 or just AES.

But when I run show crypto isakmp sa detail | i ACTIVE, all I see is "aes" without specified strength. I'm talking about hundreds to thousands of tunnels here. I don't know the configuration of the devices of our customers, but I know that they try to use at least 256 bits of strength when possible, so it's very unlikely all of the tunnels would be just aes 128. Another thing is that the output doesn't say CBC or GCM...

Do you have an example of crypto isakmp sa detail output actually showing the strength of the encryption?

0 Helpful

MHM Cisco World
VIP
VIP
In response to vojtech.jaros

‎03-03-2023 03:55 AM - edited ‎03-03-2023 04:30 AM

 The router show AES or AES-128 as by default AES-128 is AES (same)(AES-128 (as per RFC 3826))
why other AES-256/CBC/GCM not appear, simply answer your router and other peer accept AES(AES-128) and not accept other AES-256/CBC/GCM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-03-2023 04:43 AM

this give you the encrypt config, 

R2-IPSec#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2-IPSec#

0 Helpful

vojtech.jaros
Level 1
Level 1
In response to MHM Cisco World

‎03-03-2023 05:18 AM

We have tens of isakmp policies configured, I don't know which one was chosen for any particular tunnel.

MHM Cisco World
VIP
VIP
In response to vojtech.jaros

‎03-03-2023 06:37 AM

the policy can not show directly with show command, 
you can see the policy select via debug and this also need re-connect the VPN tunnel.
but there is different between policy X policy Y 
the different is the auth/encrypt/hash config under each policy.  

0 Helpful

Karsten Iwen
VIP
VIP
In response to vojtech.jaros

‎03-03-2023 04:07 AM

I just looked at it and you are right. For some reason I remembered it to be displayed here same as with sh cry ipsec sa. At the moment I don't see any command to show the key length. If you only have one ISAKMP policy with 256 bits it would be easy. But if there need to be multiple policies for different peers there is a problem. I'll think about it ...

Customers Also Viewed These Support Documents