cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3498
Views
0
Helpful
9
Replies

Site to Site IPsec VPN change from 3DES to AES-256 on ASA55xx

hongsang
Level 1
Level 1

My ASA firewall are running IKEV1 3DES-SHA . Can anyone guide me how to change to AES256-SHA?

1 Accepted Solution

Accepted Solutions

No, just create a new ikev1 transform set and then amend the existing crypto map

crypto ipsec ikev1 transform-set AES-TSET esp-aes-256 esp-sha-hmac

crypto map CRYPTO-MAP 1 set ikev1 transform-set AES-TSET VPNESP-3DES-SHA

View solution in original post

9 Replies 9

Hi, You will need to create a new IKEv1 policy, make sure the policy number is lower than the current IKEv1 Policy. You will need to apply this to all firewalls, reset the tunnels and hopefully they should use the new policy.

 

crypto ikev1 policy 5
 authentication pre-share or rsa-sig
 encryption aes
 hash sha
 group 5
 lifetime 36000

 

You can leave the existing IKEv1 Policy in place, no need to remove.

 

When the tunnel is up run the command show crypto isakmp sa to confirm the VPN is using the new algorithms.

 

HTH

Thanks for the reply. Shall I add the policy to the remote site ASA first, then local site?

is the tunnel effective immediately, or I need to run further command to turn off/on?

I saw the configuration has AES128, 192, 256. Do I need to specify which AES bits to implement?

Yes, you can add to the remote site first, ensure you have connectivity if the tunnel is down though, just in case.

Yes, select encryption aes-256

Once the new policy has been added to both firewalls, issue the command "clear crypto isakmp sa" and "clear crypto sa". This will clear the current IKEv1 and IPSec SAs.

HTH

Thanks for your reply promptly. I will try it. Do I just run the "clear crypto..." commands on local site?

If I encounter problem, shall I just disable the policy 5 and run clear crypto... commands again to fall back?

I'd run it on both sites, just to be sure the SAs have been cleared on both ends.

Yes, if any problem just revert what you added. If you do have a problem run "debug crypto isakmp" and upload the output here.

My current crypto map is set as

crypto map myoutmap 1 ikev1 transform-set VPNESP-3DES-SHA

Do I need to create other crypto map for AES?

No, just create a new ikev1 transform set and then amend the existing crypto map

crypto ipsec ikev1 transform-set AES-TSET esp-aes-256 esp-sha-hmac

crypto map CRYPTO-MAP 1 set ikev1 transform-set AES-TSET VPNESP-3DES-SHA

I will login the remote site firewall from local site throught the VPN link. If I just change the crypto map, is there any risk my session will be terminated and cannot fallback?

I wouldn't risk making these changes to the VPN over the VPN tunnel. I'd make sure you can access the remote VPN via SSH or ASDM on it's external interface. That way if there is an issue with the VPN tunnel and the tunnel is down you can still access the remote ASA and troubleshoot.