Solved: Site to Site IPsec VPN change from 3DES to AES-256 on ASA55xx

hongsang · ‎06-19-2018

My ASA firewall are running IKEV1 3DES-SHA . Can anyone guide me how to change to AES256-SHA?

Rob Ingram · ‎06-20-2018

No, just create a new ikev1 transform set and then amend the existing crypto map

crypto ipsec ikev1 transform-set AES-TSET esp-aes-256 esp-sha-hmac

crypto map CRYPTO-MAP 1 set ikev1 transform-set AES-TSET VPNESP-3DES-SHA

View solution in original post

Rob Ingram · ‎06-19-2018

Hi, You will need to create a new IKEv1 policy, make sure the policy number is lower than the current IKEv1 Policy. You will need to apply this to all firewalls, reset the tunnels and hopefully they should use the new policy.

crypto ikev1 policy 5
authentication pre-share or rsa-sig
encryption aes
hash sha
group 5
lifetime 36000

You can leave the existing IKEv1 Policy in place, no need to remove.

When the tunnel is up run the command show crypto isakmp sa to confirm the VPN is using the new algorithms.

HTH

hongsang · ‎06-19-2018

Thanks for the reply. Shall I add the policy to the remote site ASA first, then local site?

is the tunnel effective immediately, or I need to run further command to turn off/on?

I saw the configuration has AES128, 192, 256. Do I need to specify which AES bits to implement?

Rob Ingram · ‎06-19-2018

Yes, you can add to the remote site first, ensure you have connectivity if the tunnel is down though, just in case.

Yes, select encryption aes-256

Once the new policy has been added to both firewalls, issue the command "clear crypto isakmp sa" and "clear crypto sa". This will clear the current IKEv1 and IPSec SAs.

HTH

hongsang · ‎06-19-2018

Thanks for your reply promptly. I will try it. Do I just run the "clear crypto..." commands on local site?

If I encounter problem, shall I just disable the policy 5 and run clear crypto... commands again to fall back?

Rob Ingram · ‎06-19-2018

I'd run it on both sites, just to be sure the SAs have been cleared on both ends.

Yes, if any problem just revert what you added. If you do have a problem run "debug crypto isakmp" and upload the output here.

hongsang · ‎06-19-2018

My current crypto map is set as

crypto map myoutmap 1 ikev1 transform-set VPNESP-3DES-SHA

Do I need to create other crypto map for AES?

Rob Ingram · ‎06-20-2018

No, just create a new ikev1 transform set and then amend the existing crypto map

crypto ipsec ikev1 transform-set AES-TSET esp-aes-256 esp-sha-hmac

crypto map CRYPTO-MAP 1 set ikev1 transform-set AES-TSET VPNESP-3DES-SHA

hongsang · ‎06-22-2018

I will login the remote site firewall from local site throught the VPN link. If I just change the crypto map, is there any risk my session will be terminated and cannot fallback?

Rob Ingram · ‎06-23-2018

I wouldn't risk making these changes to the VPN over the VPN tunnel. I'd make sure you can access the remote VPN via SSH or ASDM on it's external interface. That way if there is an issue with the VPN tunnel and the tunnel is down you can still access the remote ASA and troubleshoot.