Thanks Piotr. That explains it On Wed, Jun 8, 2011 at 11:35 PM, Kingsley Charles < [email protected]> wrote:
> Thanks Piotr. > > Somwhere it was hitting my mind that there is a command to change the > encryption algorithm but it didn't strike me. > > With regards > Kings > > > On Thu, Jun 9, 2011 at 11:40 AM, Piotr Matusiak <[email protected]> wrote: > >> Encryption is configurable via the following command in GETVPN KS config: >> >> rekey algorithm aes 128 >> >> The auth algorithm is not configurable. >> >> Regards, >> Piotr >> >> >> >> 2011/6/9 Kingsley Charles <[email protected]> >> >>> You can also see that 3DES is being used for encryption. I guess, IOS >>> uses 3DES and SHA for encryption and authentication which can't be changed. >>> >>> >>> With regards >>> Kings >>> >>> On Wed, Jun 8, 2011 at 10:55 PM, Mark Senteza >>> <[email protected]>wrote: >>> >>>> Hey all, >>>> >>>> Thanks for the feedback on previous show crypto outputs. I have been >>>> configuring GETVPN and studying the show crypto outputs and as usual its >>>> thrown up a couple of things that I need to ask >>>> >>>> The basic layout of my GETVPN network is: >>>> >>>> R1 (KS) >>>> -----------------inside--ASA--outside-----------------------------R3---------------------------R2 >>>> >>>> R2 and R3 are the GETVPN Groups Members. >>>> >>>> Config on the KS is as follows: >>>> >>>> ip access-list ext GETVPN-TRAFFIC >>>> permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 >>>> >>>> crypto key generate rsa general-key modulus 1024 label GETVPN export >>>> >>>> crypto isakmp policy 23 >>>> auth pre >>>> encr 3des >>>> hash md5 >>>> >>>> crypto isakmp key CISCO address 0.0.0.0 >>>> >>>> crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac >>>> >>>> crypto ipsec profile GETVPN-IPSECPROF >>>> set transform-set 3DESMD5 >>>> >>>> crypto gdoi group GETVPN123 >>>> identity number 123 >>>> server local >>>> rekey lifetime seconds 300 >>>> rekey retransmit 10 number 2 >>>> rekey authentication mypubkey rsa GETVPN >>>> rekey transport unicast >>>> sa ipsec 123 >>>> profile GETVPN-IPSECPROF >>>> match address ipv4 GETVPN-TRAFFIC >>>> replay counter window-size 64 >>>> address ipv4 1.1.1.1 >>>> >>>> crypto map GDOI local-address Loopback0 >>>> crypto map GDOI 10 gdoi >>>> set group GETVPN123 >>>> >>>> interface FastEthernet0/0.10 >>>> ip address 10.100.10.1 255.255.255.0 >>>> crypto map GDOI >>>> >>>> interface Loopback0 >>>> ip address 1.1.1.1 255.255.255.0 >>>> >>>> >>>> >>>> Show crypto output from Router R2 >>>> >>>> >>>> >>>> CCIELAB-ROUTER-R2#show crypto isakmp sa >>>> IPv4 Crypto ISAKMP SA >>>> dst src state conn-id >>>> slot status >>>> 1.1.1.1 2.2.2.2 GDOI_IDLE 1011 0 >>>> ACTIVE >>>> 2.2.2.2 1.1.1.1 GDOI_REKEY 1014 0 ACTIVE >>>> 2.2.2.2 1.1.1.1 GDOI_REKEY 1013 0 ACTIVE >>>> >>>> >>>> CCIELAB-ROUTER-R2#show crypto gdoi >>>> GROUP INFORMATION >>>> >>>> Group Name : GETVPN123 >>>> Group Identity : 123 >>>> Rekeys received : 8 >>>> IPSec SA Direction : Both >>>> Active Group Server : 1.1.1.1 >>>> Group Server list : 1.1.1.1 >>>> >>>> GM Reregisters in : 3385 secs >>>> Rekey Received(hh:mm:ss) : 00:02:29 >>>> >>>> >>>> Rekeys received >>>> Cumulative : 8 >>>> After registration : 2 >>>> Rekey Acks sent : 8 >>>> >>>> ACL Downloaded From KS 1.1.1.1: >>>> access-list permit ip 192.168.0.0 0.0.255.255 192.168.0.0 >>>> 0.0.255.255 >>>> >>>> KEK POLICY: >>>> Rekey Transport Type : Unicast >>>> Lifetime (secs) : 300 >>>> Encrypt Algorithm : 3DES >>>> Key Size : 192 >>>> *Sig Hash Algorithm : HMAC_AUTH_SHA* >>>> Sig Key Length (bits) : 1024 >>>> >>>> TEK POLICY: >>>> FastEthernet0/0.23: >>>> IPsec SA: >>>> sa direction:inbound >>>> spi: 0xC14AA712(3242895122) >>>> transform: esp-3des esp-md5-hmac >>>> sa timing:remaining key lifetime (sec): (1441) >>>> Anti-Replay : Disabled >>>> >>>> IPsec SA: >>>> sa direction:outbound >>>> spi: 0xC14AA712(3242895122) >>>> transform: esp-3des esp-md5-hmac >>>> sa timing:remaining key lifetime (sec): (1441) >>>> Anti-Replay : Disabled >>>> >>>> >>>> In the above "show crypto gdoi" output from the group member, why is it >>>> that under the KEK POLICY, the Sig Hash Algorithm is showing >>>> "HMAC_AUTH_SHA" >>>> ? I dont have SHA configured anywhere. In my ISAKMP and IPsec policies I >>>> configured MD5. Has the SHA got anything to do with the crypto key I >>>> generated with the label "GETVPN" or has it got something to do with the >>>> "crypto gdoi group" configuration. Or both ? >>>> >>>> I also see reference to SHA when I run the "show crypto engine >>>> connection active" on both the GM and KS. I dont have any other ISAKMP >>>> policies configured on either routers, so I'm confused with where the SHA >>>> is >>>> coming from. >>>> >>>> CCIELAB-ROUTER-R2#show crypto engin conn active >>>> Crypto Engine Connections >>>> >>>> ID Type Algorithm Encrypt Decrypt IP-Address >>>> 1011 IKE MD5+3DES 0 0 2.2.2.2 >>>> 1015 IKE SHA+3DES 0 0 >>>> 1016 IKE SHA+3DES 0 0 >>>> 2027 IPsec 3DES+MD5 0 5 192.168.0.0 >>>> 2028 IPsec 3DES+MD5 5 0 192.168.0.0 >>>> 2029 IPsec 3DES+MD5 0 0 0.0.0.0 >>>> 2030 IPsec 3DES+MD5 0 0 0.0.0.0 >>>> 2031 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2032 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2033 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2034 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2035 IPsec 3DES+MD5 0 0 0.0.0.0 >>>> 2036 IPsec 3DES+MD5 0 0 0.0.0.0 >>>> 2037 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2038 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2055 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> 2056 IPsec 3DES+MD5 0 0 192.168.0.0 >>>> >>>> >>>> CCIELAB-ROUTER-R1#show crypto engin conn active >>>> Crypto Engine Connections >>>> >>>> ID Type Algorithm Encrypt Decrypt IP-Address >>>> 1010 IKE MD5+3DES 0 0 1.1.1.1 >>>> 1011 IKE MD5+3DES 0 0 1.1.1.1 >>>> 1015 IKE SHA+3DES 0 0 >>>> >>>> >>>> And "show crypto ipsec sa" from the GM router R2 >>>> >>>> >>>> >>>> local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >>>> remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0) >>>> current_peer 0.0.0.0 port 848 >>>> PERMIT, flags={origin_is_acl,} >>>> #pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 >>>> #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15 >>>> #pkts compressed: 0, #pkts decompressed: 0 >>>> #pkts not compressed: 0, #pkts compr. failed: 0 >>>> #pkts not decompressed: 0, #pkts decompress failed: 0 >>>> #send errors 0, #recv errors 0 >>>> >>>> local crypto endpt.: 2.2.2.2, remote crypto endpt.: 0.0.0.0 >>>> path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.23 >>>> current outbound spi: 0xC14AA712(3242895122) >>>> >>>> inbound esp sas: >>>> spi: 0xC14AA712(3242895122) >>>> transform: *esp-3des esp-md5-hmac* , >>>> in use settings ={Tunnel, } >>>> *conn id: 2027*, flow_id: NETGX:27, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (176) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> spi: 0x5100880C(1358989324) >>>> transform: esp-3des esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 2033, flow_id: NETGX:33, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (1811) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> spi: 0x895F95E(144046430) >>>> transform: esp-3des esp-md5-hmac , >>>> in use settings ={Tunnel, } >>>> conn id: 2055, flow_id: NETGX:55, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (2184) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> outbound esp sas: >>>> spi: 0xC14AA712(3242895122) >>>> transform: *esp-3des esp-md5-hmac* , >>>> in use settings ={Tunnel, } >>>> *conn id: 2028*, flow_id: NETGX:28, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (176) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> spi: 0x5100880C(1358989324) >>>> transform:* esp-3des esp-md5-hmac *, >>>> in use settings ={Tunnel, } >>>> *conn id: 2034*, flow_id: NETGX:34, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (1811) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> spi: 0x895F95E(144046430) >>>> transform: *esp-3des esp-md5-hmac *, >>>> in use settings ={Tunnel, } >>>> *conn id: 2056*, flow_id: NETGX:56, crypto map: GDOI >>>> sa timing: remaining key lifetime (sec): (2184) >>>> IV size: 8 bytes >>>> replay detection support: Y >>>> Status: ACTIVE >>>> >>>> >>>> Appreciate any ideas on this >>>> >>>> Thanks >>>> >>>> Mark >>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
