Encryption is configurable via the following command in GETVPN KS config: rekey algorithm aes 128
The auth algorithm is not configurable. Regards, Piotr 2011/6/9 Kingsley Charles <[email protected]> > You can also see that 3DES is being used for encryption. I guess, IOS uses > 3DES and SHA for encryption and authentication which can't be changed. > > > With regards > Kings > > On Wed, Jun 8, 2011 at 10:55 PM, Mark Senteza <[email protected]>wrote: > >> Hey all, >> >> Thanks for the feedback on previous show crypto outputs. I have been >> configuring GETVPN and studying the show crypto outputs and as usual its >> thrown up a couple of things that I need to ask >> >> The basic layout of my GETVPN network is: >> >> R1 (KS) >> -----------------inside--ASA--outside-----------------------------R3---------------------------R2 >> >> R2 and R3 are the GETVPN Groups Members. >> >> Config on the KS is as follows: >> >> ip access-list ext GETVPN-TRAFFIC >> permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 >> >> crypto key generate rsa general-key modulus 1024 label GETVPN export >> >> crypto isakmp policy 23 >> auth pre >> encr 3des >> hash md5 >> >> crypto isakmp key CISCO address 0.0.0.0 >> >> crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac >> >> crypto ipsec profile GETVPN-IPSECPROF >> set transform-set 3DESMD5 >> >> crypto gdoi group GETVPN123 >> identity number 123 >> server local >> rekey lifetime seconds 300 >> rekey retransmit 10 number 2 >> rekey authentication mypubkey rsa GETVPN >> rekey transport unicast >> sa ipsec 123 >> profile GETVPN-IPSECPROF >> match address ipv4 GETVPN-TRAFFIC >> replay counter window-size 64 >> address ipv4 1.1.1.1 >> >> crypto map GDOI local-address Loopback0 >> crypto map GDOI 10 gdoi >> set group GETVPN123 >> >> interface FastEthernet0/0.10 >> ip address 10.100.10.1 255.255.255.0 >> crypto map GDOI >> >> interface Loopback0 >> ip address 1.1.1.1 255.255.255.0 >> >> >> >> Show crypto output from Router R2 >> >> >> >> CCIELAB-ROUTER-R2#show crypto isakmp sa >> IPv4 Crypto ISAKMP SA >> dst src state conn-id >> slot status >> 1.1.1.1 2.2.2.2 GDOI_IDLE 1011 0 >> ACTIVE >> 2.2.2.2 1.1.1.1 GDOI_REKEY 1014 0 ACTIVE >> 2.2.2.2 1.1.1.1 GDOI_REKEY 1013 0 ACTIVE >> >> >> CCIELAB-ROUTER-R2#show crypto gdoi >> GROUP INFORMATION >> >> Group Name : GETVPN123 >> Group Identity : 123 >> Rekeys received : 8 >> IPSec SA Direction : Both >> Active Group Server : 1.1.1.1 >> Group Server list : 1.1.1.1 >> >> GM Reregisters in : 3385 secs >> Rekey Received(hh:mm:ss) : 00:02:29 >> >> >> Rekeys received >> Cumulative : 8 >> After registration : 2 >> Rekey Acks sent : 8 >> >> ACL Downloaded From KS 1.1.1.1: >> access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 >> >> KEK POLICY: >> Rekey Transport Type : Unicast >> Lifetime (secs) : 300 >> Encrypt Algorithm : 3DES >> Key Size : 192 >> *Sig Hash Algorithm : HMAC_AUTH_SHA* >> Sig Key Length (bits) : 1024 >> >> TEK POLICY: >> FastEthernet0/0.23: >> IPsec SA: >> sa direction:inbound >> spi: 0xC14AA712(3242895122) >> transform: esp-3des esp-md5-hmac >> sa timing:remaining key lifetime (sec): (1441) >> Anti-Replay : Disabled >> >> IPsec SA: >> sa direction:outbound >> spi: 0xC14AA712(3242895122) >> transform: esp-3des esp-md5-hmac >> sa timing:remaining key lifetime (sec): (1441) >> Anti-Replay : Disabled >> >> >> In the above "show crypto gdoi" output from the group member, why is it >> that under the KEK POLICY, the Sig Hash Algorithm is showing "HMAC_AUTH_SHA" >> ? I dont have SHA configured anywhere. In my ISAKMP and IPsec policies I >> configured MD5. Has the SHA got anything to do with the crypto key I >> generated with the label "GETVPN" or has it got something to do with the >> "crypto gdoi group" configuration. Or both ? >> >> I also see reference to SHA when I run the "show crypto engine connection >> active" on both the GM and KS. I dont have any other ISAKMP policies >> configured on either routers, so I'm confused with where the SHA is coming >> from. >> >> CCIELAB-ROUTER-R2#show crypto engin conn active >> Crypto Engine Connections >> >> ID Type Algorithm Encrypt Decrypt IP-Address >> 1011 IKE MD5+3DES 0 0 2.2.2.2 >> 1015 IKE SHA+3DES 0 0 >> 1016 IKE SHA+3DES 0 0 >> 2027 IPsec 3DES+MD5 0 5 192.168.0.0 >> 2028 IPsec 3DES+MD5 5 0 192.168.0.0 >> 2029 IPsec 3DES+MD5 0 0 0.0.0.0 >> 2030 IPsec 3DES+MD5 0 0 0.0.0.0 >> 2031 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2032 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2033 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2034 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2035 IPsec 3DES+MD5 0 0 0.0.0.0 >> 2036 IPsec 3DES+MD5 0 0 0.0.0.0 >> 2037 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2038 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2055 IPsec 3DES+MD5 0 0 192.168.0.0 >> 2056 IPsec 3DES+MD5 0 0 192.168.0.0 >> >> >> CCIELAB-ROUTER-R1#show crypto engin conn active >> Crypto Engine Connections >> >> ID Type Algorithm Encrypt Decrypt IP-Address >> 1010 IKE MD5+3DES 0 0 1.1.1.1 >> 1011 IKE MD5+3DES 0 0 1.1.1.1 >> 1015 IKE SHA+3DES 0 0 >> >> >> And "show crypto ipsec sa" from the GM router R2 >> >> >> >> local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >> remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >> current_peer 0.0.0.0 port 848 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 >> #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 >> #pkts compressed: 0, #pkts decompressed: 0 >> #pkts not compressed: 0, #pkts compr. failed: 0 >> #pkts not decompressed: 0, #pkts decompress failed: 0 >> #send errors 0, #recv errors 0 >> >> local crypto endpt.: 2.2.2.2, remote crypto endpt.: 0.0.0.0 >> path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.23 >> current outbound spi: 0xC14AA712(3242895122) >> >> inbound esp sas: >> spi: 0xC14AA712(3242895122) >> transform: *esp-3des esp-md5-hmac* , >> in use settings ={Tunnel, } >> *conn id: 2027*, flow_id: NETGX:27, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (176) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> spi: 0x5100880C(1358989324) >> transform: esp-3des esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 2033, flow_id: NETGX:33, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (1811) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> spi: 0x895F95E(144046430) >> transform: esp-3des esp-md5-hmac , >> in use settings ={Tunnel, } >> conn id: 2055, flow_id: NETGX:55, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (2184) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> >> outbound esp sas: >> spi: 0xC14AA712(3242895122) >> transform: *esp-3des esp-md5-hmac* , >> in use settings ={Tunnel, } >> *conn id: 2028*, flow_id: NETGX:28, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (176) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> spi: 0x5100880C(1358989324) >> transform:* esp-3des esp-md5-hmac *, >> in use settings ={Tunnel, } >> *conn id: 2034*, flow_id: NETGX:34, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (1811) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> spi: 0x895F95E(144046430) >> transform: *esp-3des esp-md5-hmac *, >> in use settings ={Tunnel, } >> *conn id: 2056*, flow_id: NETGX:56, crypto map: GDOI >> sa timing: remaining key lifetime (sec): (2184) >> IV size: 8 bytes >> replay detection support: Y >> Status: ACTIVE >> >> >> Appreciate any ideas on this >> >> Thanks >> >> Mark >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
