cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1931
Views
3
Helpful
9
Replies

Show encryption strength for IKEv1

vojtech.jaros
Level 1
Level 1

I'm trying to find a command that will show encryption and hash strength / keysize for IKEv1.

For IKEv2 it's easy, showing 128b AES and 256b SHA:

rtr1#show crypto ikev2 sa
[...]
Encr: AES-GCM, keysize: 128, PRF: SHA256, Hash: None, DH Grp:14, Auth sign: PSK, Auth verify: PSK 

But how to show it for IKEv1 connections? show crypto isakmp sa detail shows just the algorithms, but not the key size.

There is also show crypto engine connections active, but it is not available on our newer IOS XE routers.

Gathering it from debugging is not an option for us.

9 Replies 9

show crypto isakmp sa detail <<-

 

 

R2-IPSec#show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 100.0.0.2 100.0.0.3 ACTIVE des sha psk 1 23:59:40
Engine-id:Conn-id = SW:1

Thanks for your reply. While DES really doesn't need to have the cipher strength displayed, it doesn't display it for AES either, please see my other reply.

It's all in the command that you just mentioned:

R1#sh cry isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1008  198.51.100.26   198.51.100.10          ACTIVE aes  sha    psk  14 23:58:56
       Engine-id:Conn-id =  SW:8
  • encryption is AES 128 because no added key is always the default length of 128 bit
  • Hash SHA is SHA1
  • DH14 is 2048 bit

Thanks, I'm aware that in IOS, sha might mean sha-1 and aes might mean aes-128 in the configuration. But I don't think that's true in the output of this command.

On an Cisco 3945 router, when I run the show crypto engine connections active command, I get many connections with AES256. I get none with AES128 or just AES.

But when I run show crypto isakmp sa detail | i ACTIVE, all I see is "aes" without specified strength. I'm talking about hundreds to thousands of tunnels here. I don't know the configuration of the devices of our customers, but I know that they try to use at least 256 bits of strength when possible, so it's very unlikely all of the tunnels would be just aes 128. Another thing is that the output doesn't say CBC or GCM...

Do you have an example of crypto isakmp sa detail output actually showing the strength of the encryption?

 The router show AES or AES-128 as by default AES-128 is AES (same)(AES-128 (as per RFC 3826))
why other AES-256/CBC/GCM not appear, simply answer your router and other peer accept AES(AES-128) and not accept other AES-256/CBC/GCM

this give you the encrypt config, 

R2-IPSec#show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
R2-IPSec#

We have tens of isakmp policies configured, I don't know which one was chosen for any particular tunnel.

the policy can not show directly with show command, 
you can see the policy select via debug and this also need re-connect the VPN tunnel.
but there is different between policy X policy Y 
the different is the auth/encrypt/hash config under each policy.  

I just looked at it and you are right. For some reason I remembered it to be displayed here same as with sh cry ipsec sa. At the moment I don't see any command to show the key length. If you only have one ISAKMP policy with 256 bits it would be easy. But if there need to be multiple policies for different peers there is a problem. I'll think about it ...