[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 783
  • Last Modified:

Cisco 2821 and 1841 encr aes 256

Hi,


Righ now, I have 3 sites connected using cisco hardware (837, 1841 and 2821).All of them using ipsed 3des tunnels like a triangle, 3 sites.

The side built using 1841 and 2821 should be changed from 3des to aes but this is the config:

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

Open in new window


This is used by all the crypto config, and then the specific config for each site

As far as I knowm this entry must be changed to "encr aes 256", but If I do this, 3des sites does not work.

Any idea?

regards
0
heze54
Asked:
heze54
  • 4
  • 2
  • 2
1 Solution
 
FrabbleCommented:
You can have multiple IKE policies, the number being the priority and the order that the policies are presented when devices negotiate to find a common policy.

For example, you could configure:
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 2
 lifetime 28800

This will be tried first and used for the aes sites, but drop down to the next policy (the one you currently have) for the the 3des sites.
0
 
heze54Author Commented:
Hi,

 then, I understand the following:

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800


And, with this new config and making some new changes at crypto ipsec transform-set point, doesn´t it?
0
 
FrabbleCommented:
If you want to use AES for phase 2 then create another transform set, for example:
crypto  ipsec  transform-set  ESP-AES-256-SHA  esp-aes 256  esp-sha-hmac
and use this in the crypto map for the AES site to site tunnels.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
heze54Author Commented:
A++
0
 
heze54Author Commented:
Hi again,

According to this text/link

http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/index.html

I´m looking for a  stronger encryption algorithm than 3des and also fast and with less CPU workload.

Is this algorithm aes 128,196,256,BF? or what?

regards
0
 
TimotiStDatacenter TechnicianCommented:
Depends on your usage and security needs. AES128 is a lot better than 3des, while eating less CPU than AES256. BF is also nice, but a lot less standard.

Tamas
0
 
heze54Author Commented:
Hi,

And aes128 security?
Any doc to compare aes versions? A newer docu about this ?

Regards
0
 
TimotiStDatacenter TechnicianCommented:
You can find 1000s of pages on comparisons of the AES variants.

AES128 is used by most financial institutions to protect their on-line presence, including PayPal, eBay, all the banks I have accounts with in Hungary and Ireland, etc.

It's your decision if that is good enough for you, or you want super-military-grade encryption, like AES512 with DH group 14.

You can always get better (if your software/hardware supports it), but you pay for it in speed.

Tamas
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now