Thanks Piotr. Somwhere it was hitting my mind that there is a command to change the encryption algorithm but it didn't strike me.
With regards Kings On Thu, Jun 9, 2011 at 11:40 AM, Piotr Matusiak <[email protected]> wrote: > Encryption is configurable via the following command in GETVPN KS config: > > rekey algorithm aes 128 > > The auth algorithm is not configurable. > > Regards, > Piotr > > > > 2011/6/9 Kingsley Charles <[email protected]> > >> You can also see that 3DES is being used for encryption. I guess, IOS uses >> 3DES and SHA for encryption and authentication which can't be changed. >> >> >> With regards >> Kings >> >> On Wed, Jun 8, 2011 at 10:55 PM, Mark Senteza <[email protected]>wrote: >> >>> Hey all, >>> >>> Thanks for the feedback on previous show crypto outputs. I have been >>> configuring GETVPN and studying the show crypto outputs and as usual its >>> thrown up a couple of things that I need to ask >>> >>> The basic layout of my GETVPN network is: >>> >>> R1 (KS) >>> -----------------inside--ASA--outside-----------------------------R3---------------------------R2 >>> >>> R2 and R3 are the GETVPN Groups Members. >>> >>> Config on the KS is as follows: >>> >>> ip access-list ext GETVPN-TRAFFIC >>> permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 >>> >>> crypto key generate rsa general-key modulus 1024 label GETVPN export >>> >>> crypto isakmp policy 23 >>> auth pre >>> encr 3des >>> hash md5 >>> >>> crypto isakmp key CISCO address 0.0.0.0 >>> >>> crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac >>> >>> crypto ipsec profile GETVPN-IPSECPROF >>> set transform-set 3DESMD5 >>> >>> crypto gdoi group GETVPN123 >>> identity number 123 >>> server local >>> rekey lifetime seconds 300 >>> rekey retransmit 10 number 2 >>> rekey authentication mypubkey rsa GETVPN >>> rekey transport unicast >>> sa ipsec 123 >>> profile GETVPN-IPSECPROF >>> match address ipv4 GETVPN-TRAFFIC >>> replay counter window-size 64 >>> address ipv4 1.1.1.1 >>> >>> crypto map GDOI local-address Loopback0 >>> crypto map GDOI 10 gdoi >>> set group GETVPN123 >>> >>> interface FastEthernet0/0.10 >>> ip address 10.100.10.1 255.255.255.0 >>> crypto map GDOI >>> >>> interface Loopback0 >>> ip address 1.1.1.1 255.255.255.0 >>> >>> >>> >>> Show crypto output from Router R2 >>> >>> >>> >>> CCIELAB-ROUTER-R2#show crypto isakmp sa >>> IPv4 Crypto ISAKMP SA >>> dst src state conn-id >>> slot status >>> 1.1.1.1 2.2.2.2 GDOI_IDLE 1011 0 >>> ACTIVE >>> 2.2.2.2 1.1.1.1 GDOI_REKEY 1014 0 ACTIVE >>> 2.2.2.2 1.1.1.1 GDOI_REKEY 1013 0 ACTIVE >>> >>> >>> CCIELAB-ROUTER-R2#show crypto gdoi >>> GROUP INFORMATION >>> >>> Group Name : GETVPN123 >>> Group Identity : 123 >>> Rekeys received : 8 >>> IPSec SA Direction : Both >>> Active Group Server : 1.1.1.1 >>> Group Server list : 1.1.1.1 >>> >>> GM Reregisters in : 3385 secs >>> Rekey Received(hh:mm:ss) : 00:02:29 >>> >>> >>> Rekeys received >>> Cumulative : 8 >>> After registration : 2 >>> Rekey Acks sent : 8 >>> >>> ACL Downloaded From KS 1.1.1.1: >>> access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 >>> >>> KEK POLICY: >>> Rekey Transport Type : Unicast >>> Lifetime (secs) : 300 >>> Encrypt Algorithm : 3DES >>> Key Size : 192 >>> *Sig Hash Algorithm : HMAC_AUTH_SHA* >>> Sig Key Length (bits) : 1024 >>> >>> TEK POLICY: >>> FastEthernet0/0.23: >>> IPsec SA: >>> sa direction:inbound >>> spi: 0xC14AA712(3242895122) >>> transform: esp-3des esp-md5-hmac >>> sa timing:remaining key lifetime (sec): (1441) >>> Anti-Replay : Disabled >>> >>> IPsec SA: >>> sa direction:outbound >>> spi: 0xC14AA712(3242895122) >>> transform: esp-3des esp-md5-hmac >>> sa timing:remaining key lifetime (sec): (1441) >>> Anti-Replay : Disabled >>> >>> >>> In the above "show crypto gdoi" output from the group member, why is it >>> that under the KEK POLICY, the Sig Hash Algorithm is showing "HMAC_AUTH_SHA" >>> ? I dont have SHA configured anywhere. In my ISAKMP and IPsec policies I >>> configured MD5. Has the SHA got anything to do with the crypto key I >>> generated with the label "GETVPN" or has it got something to do with the >>> "crypto gdoi group" configuration. Or both ? >>> >>> I also see reference to SHA when I run the "show crypto engine connection >>> active" on both the GM and KS. I dont have any other ISAKMP policies >>> configured on either routers, so I'm confused with where the SHA is coming >>> from. >>> >>> CCIELAB-ROUTER-R2#show crypto engin conn active >>> Crypto Engine Connections >>> >>> ID Type Algorithm Encrypt Decrypt IP-Address >>> 1011 IKE MD5+3DES 0 0 2.2.2.2 >>> 1015 IKE SHA+3DES 0 0 >>> 1016 IKE SHA+3DES 0 0 >>> 2027 IPsec 3DES+MD5 0 5 192.168.0.0 >>> 2028 IPsec 3DES+MD5 5 0 192.168.0.0 >>> 2029 IPsec 3DES+MD5 0 0 0.0.0.0 >>> 2030 IPsec 3DES+MD5 0 0 0.0.0.0 >>> 2031 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2032 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2033 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2034 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2035 IPsec 3DES+MD5 0 0 0.0.0.0 >>> 2036 IPsec 3DES+MD5 0 0 0.0.0.0 >>> 2037 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2038 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2055 IPsec 3DES+MD5 0 0 192.168.0.0 >>> 2056 IPsec 3DES+MD5 0 0 192.168.0.0 >>> >>> >>> CCIELAB-ROUTER-R1#show crypto engin conn active >>> Crypto Engine Connections >>> >>> ID Type Algorithm Encrypt Decrypt IP-Address >>> 1010 IKE MD5+3DES 0 0 1.1.1.1 >>> 1011 IKE MD5+3DES 0 0 1.1.1.1 >>> 1015 IKE SHA+3DES 0 0 >>> >>> >>> And "show crypto ipsec sa" from the GM router R2 >>> >>> >>> >>> local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >>> remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >>> current_peer 0.0.0.0 port 848 >>> PERMIT, flags={origin_is_acl,} >>> #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 >>> #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 >>> #pkts compressed: 0, #pkts decompressed: 0 >>> #pkts not compressed: 0, #pkts compr. failed: 0 >>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>> #send errors 0, #recv errors 0 >>> >>> local crypto endpt.: 2.2.2.2, remote crypto endpt.: 0.0.0.0 >>> path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.23 >>> current outbound spi: 0xC14AA712(3242895122) >>> >>> inbound esp sas: >>> spi: 0xC14AA712(3242895122) >>> transform: *esp-3des esp-md5-hmac* , >>> in use settings ={Tunnel, } >>> *conn id: 2027*, flow_id: NETGX:27, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (176) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> spi: 0x5100880C(1358989324) >>> transform: esp-3des esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 2033, flow_id: NETGX:33, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (1811) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> spi: 0x895F95E(144046430) >>> transform: esp-3des esp-md5-hmac , >>> in use settings ={Tunnel, } >>> conn id: 2055, flow_id: NETGX:55, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (2184) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> outbound esp sas: >>> spi: 0xC14AA712(3242895122) >>> transform: *esp-3des esp-md5-hmac* , >>> in use settings ={Tunnel, } >>> *conn id: 2028*, flow_id: NETGX:28, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (176) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> spi: 0x5100880C(1358989324) >>> transform:* esp-3des esp-md5-hmac *, >>> in use settings ={Tunnel, } >>> *conn id: 2034*, flow_id: NETGX:34, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (1811) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> spi: 0x895F95E(144046430) >>> transform: *esp-3des esp-md5-hmac *, >>> in use settings ={Tunnel, } >>> *conn id: 2056*, flow_id: NETGX:56, crypto map: GDOI >>> sa timing: remaining key lifetime (sec): (2184) >>> IV size: 8 bytes >>> replay detection support: Y >>> Status: ACTIVE >>> >>> >>> Appreciate any ideas on this >>> >>> Thanks >>> >>> Mark >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
