Solved

Cisco  2821 and 1841 encr aes 256

Posted on 2013-01-05
8
755 Views
Last Modified: 2013-01-07
Hi,


Righ now, I have 3 sites connected using cisco hardware (837, 1841 and 2821).All of them using ipsed 3des tunnels like a triangle, 3 sites.

The side built using 1841 and 2821 should be changed from 3des to aes but this is the config:

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800

Open in new window


This is used by all the crypto config, and then the specific config for each site

As far as I knowm this entry must be changed to "encr aes 256", but If I do this, 3des sites does not work.

Any idea?

regards
0
Comment
Question by:heze54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Accepted Solution

by:
Frabble earned 500 total points
ID: 38746796
You can have multiple IKE policies, the number being the priority and the order that the policies are presented when devices negotiate to find a common policy.

For example, you could configure:
crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 2
 lifetime 28800

This will be tried first and used for the aes sites, but drop down to the next policy (the one you currently have) for the the 3des sites.
0
 

Author Comment

by:heze54
ID: 38747082
Hi,

 then, I understand the following:

crypto isakmp policy 10
 encryption aes 256
 authentication pre-share
 group 2
 lifetime 28800

crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800


And, with this new config and making some new changes at crypto ipsec transform-set point, doesn´t it?
0
 
LVL 15

Expert Comment

by:Frabble
ID: 38747420
If you want to use AES for phase 2 then create another transform set, for example:
crypto  ipsec  transform-set  ESP-AES-256-SHA  esp-aes 256  esp-sha-hmac
and use this in the crypto map for the AES site to site tunnels.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Closing Comment

by:heze54
ID: 38750234
A++
0
 

Author Comment

by:heze54
ID: 38750242
Hi again,

According to this text/link

http://www.cs.wustl.edu/~jain/cse567-06/ftp/encryption_perf/index.html

I´m looking for a  stronger encryption algorithm than 3des and also fast and with less CPU workload.

Is this algorithm aes 128,196,256,BF? or what?

regards
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38751349
Depends on your usage and security needs. AES128 is a lot better than 3des, while eating less CPU than AES256. BF is also nice, but a lot less standard.

Tamas
0
 

Author Comment

by:heze54
ID: 38752326
Hi,

And aes128 security?
Any doc to compare aes versions? A newer docu about this ?

Regards
0
 
LVL 17

Expert Comment

by:TimotiSt
ID: 38752630
You can find 1000s of pages on comparisons of the AES variants.

AES128 is used by most financial institutions to protect their on-line presence, including PayPal, eBay, all the banks I have accounts with in Hungary and Ireland, etc.

It's your decision if that is good enough for you, or you want super-military-grade encryption, like AES512 with DH group 14.

You can always get better (if your software/hardware supports it), but you pay for it in speed.

Tamas
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Determine Network Portion and Host portion of  IPV6 IP 8 67
Weird Happening at my office with windows machines/network 16 83
VPN Exposure 19 39
Wannacry 44 101
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question