You can also see that 3DES is being used for encryption. I guess, IOS uses 3DES and SHA for encryption and authentication which can't be changed.
With regards Kings On Wed, Jun 8, 2011 at 10:55 PM, Mark Senteza <[email protected]>wrote: > Hey all, > > Thanks for the feedback on previous show crypto outputs. I have been > configuring GETVPN and studying the show crypto outputs and as usual its > thrown up a couple of things that I need to ask > > The basic layout of my GETVPN network is: > > R1 (KS) > -----------------inside--ASA--outside-----------------------------R3---------------------------R2 > > R2 and R3 are the GETVPN Groups Members. > > Config on the KS is as follows: > > ip access-list ext GETVPN-TRAFFIC > permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 > > crypto key generate rsa general-key modulus 1024 label GETVPN export > > crypto isakmp policy 23 > auth pre > encr 3des > hash md5 > > crypto isakmp key CISCO address 0.0.0.0 > > crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac > > crypto ipsec profile GETVPN-IPSECPROF > set transform-set 3DESMD5 > > crypto gdoi group GETVPN123 > identity number 123 > server local > rekey lifetime seconds 300 > rekey retransmit 10 number 2 > rekey authentication mypubkey rsa GETVPN > rekey transport unicast > sa ipsec 123 > profile GETVPN-IPSECPROF > match address ipv4 GETVPN-TRAFFIC > replay counter window-size 64 > address ipv4 1.1.1.1 > > crypto map GDOI local-address Loopback0 > crypto map GDOI 10 gdoi > set group GETVPN123 > > interface FastEthernet0/0.10 > ip address 10.100.10.1 255.255.255.0 > crypto map GDOI > > interface Loopback0 > ip address 1.1.1.1 255.255.255.0 > > > > Show crypto output from Router R2 > > > > CCIELAB-ROUTER-R2#show crypto isakmp sa > IPv4 Crypto ISAKMP SA > dst src state conn-id > slot status > 1.1.1.1 2.2.2.2 GDOI_IDLE 1011 0 ACTIVE > 2.2.2.2 1.1.1.1 GDOI_REKEY 1014 0 ACTIVE > 2.2.2.2 1.1.1.1 GDOI_REKEY 1013 0 ACTIVE > > > CCIELAB-ROUTER-R2#show crypto gdoi > GROUP INFORMATION > > Group Name : GETVPN123 > Group Identity : 123 > Rekeys received : 8 > IPSec SA Direction : Both > Active Group Server : 1.1.1.1 > Group Server list : 1.1.1.1 > > GM Reregisters in : 3385 secs > Rekey Received(hh:mm:ss) : 00:02:29 > > > Rekeys received > Cumulative : 8 > After registration : 2 > Rekey Acks sent : 8 > > ACL Downloaded From KS 1.1.1.1: > access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 > > KEK POLICY: > Rekey Transport Type : Unicast > Lifetime (secs) : 300 > Encrypt Algorithm : 3DES > Key Size : 192 > *Sig Hash Algorithm : HMAC_AUTH_SHA* > Sig Key Length (bits) : 1024 > > TEK POLICY: > FastEthernet0/0.23: > IPsec SA: > sa direction:inbound > spi: 0xC14AA712(3242895122) > transform: esp-3des esp-md5-hmac > sa timing:remaining key lifetime (sec): (1441) > Anti-Replay : Disabled > > IPsec SA: > sa direction:outbound > spi: 0xC14AA712(3242895122) > transform: esp-3des esp-md5-hmac > sa timing:remaining key lifetime (sec): (1441) > Anti-Replay : Disabled > > > In the above "show crypto gdoi" output from the group member, why is it > that under the KEK POLICY, the Sig Hash Algorithm is showing "HMAC_AUTH_SHA" > ? I dont have SHA configured anywhere. In my ISAKMP and IPsec policies I > configured MD5. Has the SHA got anything to do with the crypto key I > generated with the label "GETVPN" or has it got something to do with the > "crypto gdoi group" configuration. Or both ? > > I also see reference to SHA when I run the "show crypto engine connection > active" on both the GM and KS. I dont have any other ISAKMP policies > configured on either routers, so I'm confused with where the SHA is coming > from. > > CCIELAB-ROUTER-R2#show crypto engin conn active > Crypto Engine Connections > > ID Type Algorithm Encrypt Decrypt IP-Address > 1011 IKE MD5+3DES 0 0 2.2.2.2 > 1015 IKE SHA+3DES 0 0 > 1016 IKE SHA+3DES 0 0 > 2027 IPsec 3DES+MD5 0 5 192.168.0.0 > 2028 IPsec 3DES+MD5 5 0 192.168.0.0 > 2029 IPsec 3DES+MD5 0 0 0.0.0.0 > 2030 IPsec 3DES+MD5 0 0 0.0.0.0 > 2031 IPsec 3DES+MD5 0 0 192.168.0.0 > 2032 IPsec 3DES+MD5 0 0 192.168.0.0 > 2033 IPsec 3DES+MD5 0 0 192.168.0.0 > 2034 IPsec 3DES+MD5 0 0 192.168.0.0 > 2035 IPsec 3DES+MD5 0 0 0.0.0.0 > 2036 IPsec 3DES+MD5 0 0 0.0.0.0 > 2037 IPsec 3DES+MD5 0 0 192.168.0.0 > 2038 IPsec 3DES+MD5 0 0 192.168.0.0 > 2055 IPsec 3DES+MD5 0 0 192.168.0.0 > 2056 IPsec 3DES+MD5 0 0 192.168.0.0 > > > CCIELAB-ROUTER-R1#show crypto engin conn active > Crypto Engine Connections > > ID Type Algorithm Encrypt Decrypt IP-Address > 1010 IKE MD5+3DES 0 0 1.1.1.1 > 1011 IKE MD5+3DES 0 0 1.1.1.1 > 1015 IKE SHA+3DES 0 0 > > > And "show crypto ipsec sa" from the GM router R2 > > > > local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) > remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) > current_peer 0.0.0.0 port 848 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 > #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 0, #recv errors 0 > > local crypto endpt.: 2.2.2.2, remote crypto endpt.: 0.0.0.0 > path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.23 > current outbound spi: 0xC14AA712(3242895122) > > inbound esp sas: > spi: 0xC14AA712(3242895122) > transform: *esp-3des esp-md5-hmac* , > in use settings ={Tunnel, } > *conn id: 2027*, flow_id: NETGX:27, crypto map: GDOI > sa timing: remaining key lifetime (sec): (176) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > spi: 0x5100880C(1358989324) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 2033, flow_id: NETGX:33, crypto map: GDOI > sa timing: remaining key lifetime (sec): (1811) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > spi: 0x895F95E(144046430) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > conn id: 2055, flow_id: NETGX:55, crypto map: GDOI > sa timing: remaining key lifetime (sec): (2184) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > > outbound esp sas: > spi: 0xC14AA712(3242895122) > transform: *esp-3des esp-md5-hmac* , > in use settings ={Tunnel, } > *conn id: 2028*, flow_id: NETGX:28, crypto map: GDOI > sa timing: remaining key lifetime (sec): (176) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > spi: 0x5100880C(1358989324) > transform:* esp-3des esp-md5-hmac *, > in use settings ={Tunnel, } > *conn id: 2034*, flow_id: NETGX:34, crypto map: GDOI > sa timing: remaining key lifetime (sec): (1811) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > spi: 0x895F95E(144046430) > transform: *esp-3des esp-md5-hmac *, > in use settings ={Tunnel, } > *conn id: 2056*, flow_id: NETGX:56, crypto map: GDOI > sa timing: remaining key lifetime (sec): (2184) > IV size: 8 bytes > replay detection support: Y > Status: ACTIVE > > > Appreciate any ideas on this > > Thanks > > Mark > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
