asked on Cisco 2821 and 1841 encr aes 256
Hi,
Righ now, I have 3 sites connected using cisco hardware (837, 1841 and 2821).All of them using ipsed 3des tunnels like a triangle, 3 sites.
The side built using 1841 and 2821 should be changed from 3des to aes but this is the config:
This is used by all the crypto config, and then the specific config for each site
As far as I knowm this entry must be changed to "encr aes 256", but If I do this, 3des sites does not work.
Any idea?
regards
Righ now, I have 3 sites connected using cisco hardware (837, 1841 and 2821).All of them using ipsed 3des tunnels like a triangle, 3 sites.
The side built using 1841 and 2821 should be changed from 3des to aes but this is the config:
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
This is used by all the crypto config, and then the specific config for each site
As far as I knowm this entry must be changed to "encr aes 256", but If I do this, 3des sites does not work.
Any idea?
regards
RoutersVPNNetworking
Last Comment
TimotiSt
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
If you want to use AES for phase 2 then create another transform set, for example:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
and use this in the crypto map for the AES site to site tunnels.
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
and use this in the crypto map for the AES site to site tunnels.
ASKER
A++
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
Hi again,
According to this text/link
http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/index.html
I´m looking for a stronger encryption algorithm than 3des and also fast and with less CPU workload.
Is this algorithm aes 128,196,256,BF? or what?
regards
According to this text/link
http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/index.html
I´m looking for a stronger encryption algorithm than 3des and also fast and with less CPU workload.
Is this algorithm aes 128,196,256,BF? or what?
regards
Depends on your usage and security needs. AES128 is a lot better than 3des, while eating less CPU than AES256. BF is also nice, but a lot less standard.
Tamas
Tamas
ASKER
Hi,
And aes128 security?
Any doc to compare aes versions? A newer docu about this ?
Regards
And aes128 security?
Any doc to compare aes versions? A newer docu about this ?
Regards
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
You can find 1000s of pages on comparisons of the AES variants.
AES128 is used by most financial institutions to protect their on-line presence, including PayPal, eBay, all the banks I have accounts with in Hungary and Ireland, etc.
It's your decision if that is good enough for you, or you want super-military-grade encryption, like AES512 with DH group 14.
You can always get better (if your software/hardware supports it), but you pay for it in speed.
Tamas
AES128 is used by most financial institutions to protect their on-line presence, including PayPal, eBay, all the banks I have accounts with in Hungary and Ireland, etc.
It's your decision if that is good enough for you, or you want super-military-grade encryption, like AES512 with DH group 14.
You can always get better (if your software/hardware supports it), but you pay for it in speed.
Tamas
then, I understand the following:
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 28800
And, with this new config and making some new changes at crypto ipsec transform-set point, doesn´t it?