Cisco VPN :: AES256 VPN Encryption Method
Dec 21, 2012
I've some VPN encryption method questions.Is it recommended to use different encryption algorithms for both VPN phases (phase 1 and phase 2)?I’ve read once that it is much secure to use different encryption algorithms for each phase.In my opinion, I would go for the AES256 algorithm in both phases. But maybe it is a better idea to use AES128 or AES192 in the first phase and AES-256 in the second phase… I don't know.After saying this, I’m also wondering about the best VPN encryption setup for a site-to-site VPN (IKEv2) when using a Cisco ASA like the 5510, 5520 or the 5515.Which encryption method is recommended for phase 1 and phase 2Which PFS / DH-group should be used (considering CPU load and security)
View 2 Replies
ADVERTISEMENT
Aug 1, 2011
Does there are plans to include support AES256-CTR (vice AES256-CBC) in IOS code?
View 2 Replies
View Related
Apr 25, 2013
i have a general Question regarding buildings SA´s between two peers.Can I establish more than one SA between two Peers with the same IP Address?Actually I have 3 DMVPN´s running in parallel in different VRF´s using the same SA.They have all the same IPSEC encryption AES256.Now I need to reduce the encryption to 3DES in one of the three DMVPN´s.Is that possible or do I need a differnet IP Address so that the SA Pair is unique?Thats how I stared, with a Phase 2 failure that it is not acceptable.
crypto keyring preshared
pre-shared-key address x.x.x.x key ....ncvnbxcnbLsaYiKtxc4ex4U99Tn...
pre-shared-key address x.x.x.x key ....qerqwerJLsaYiKtxc4ex4U99Tn...
pre-shared-key address 0.0.0.0 0.0.0.0 key ....JLsaYiKtxewrc4ex4U99Tn...
[code]....
View 4 Replies
View Related
Feb 3, 2012
Is 3DES on ISAKMP considered to be secured for your average site (other options are AES/DES)? I'd imagine AES should be much stronger but what about DES, is that considered adequate or broken? Is there any proof of concept attack against 3DES on ISAKMP (or ISAKMP in general)?
View 2 Replies
View Related
Jan 29, 2011
The datasheets indicate that the 39xx series ISR G2 routers support AES, but they don't indicate if they handle both AES128 and AES256 in hardware. Via our account manager, we've heard that they only support AES128 in hardware, but not AES256. Given there's no equivalent of an AIM-VPN/SSL-3 module for a 39xx router, this could be a problem for a deployment we're looking at doing.
I can find no document anywhere on cisco.com that confirms that AES256 specifically is supported IN HARDWARE on, say, a 3945E router.
And, if it is supported, are there any performance numbers available for throughput? We're trying to find out if a 3945E is appropriate, or if we need to go with a 7206VXR w/NPE-G2 and VAM2+ module.
View 3 Replies
View Related
Nov 3, 2012
I have recently upgraded my company's network significantly, and in the process removed our Cisco edge routers and firewalls (gasp!), and replaced them with another vendor who gave a better price point for the router.However, i was only able to get ONE edge router, whereas before I had two, so I want to recycle one of my old 2921's as a cold standby (in case the brown sticky stuff hits the rotating air distribution blades, and $other-vendor router dies).Trouble is, the 2921 does not, I believe, have sufficient system resources to take the full routing table we're getting from our two ISP's.What I would like to ask is people's thoughts on the best method for me to configure the BGP setup on the 2921 to do the following:
-Accept the default route from each ISP and discard *everything* else in the route table
-Modify our advertisement (ad prepend) out the "secondary" ISP to reduce the priority of traffic coming in over this link.
-Configure the OUTBOUND priorities so that the "primary" link is used by preference for outgoing traffic (which will effectively shut down the secondary link for outbound traffic
View 6 Replies
View Related
Oct 14, 2012
As we know SNR (signal to noise ratio) is very important in communication special in wireless. So I wondering : How is SNR measured (by using practical method)?
View 2 Replies
View Related
May 9, 2011
we currently have 4x ACS 4.1 (1) build 23 windows based and we are going to migrate to ACS 5.2 appliance 11211.the first pair we are using simply local authentication for multiple vendor firewall and routers, with one custom radius vendor-specific attributes, with now she exec.the second pair we are using for wireless clients authentication through AD, with dynamic mapping.
in order to migrate what would be the most suitable migration, whether to use Migration utility or export those ACS objects and import them into the new ACS 5.2.
View 1 Replies
View Related
Apr 25, 2012
We have a scheduled office move where we are consolidating 2 remote offices into one. I’ve been asked to spec out the correct size UPS to support all of the network equipment for this new office.I went to the Cisco website and I see on the datasheet for the switches and router where they talk about the wattages and BTU’s but how can I go about deciphering from that information what my total wattage and BTU will be for each switch and router?What numbers should I be looking at? For instance, we have 3 3750 48 port PoE switches. So if I look at the datasheet for that switch they have 4 different columns, one for 100% throughput power consumption, one for 5% throughput, another one for 100% throughput for max PoE load and one for 5% throughput with 50% PoE loads?Is there a common method for deremining UPS requipments? For the switches I pretty sure I need to assume max PoE load in the event every port has a phone plugged into each port.
View 3 Replies
View Related
Apr 13, 2013
I am having some issues with my internet connection. release and renew method and using Google's DNS server.
View 1 Replies
View Related
Aug 6, 2012
is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?That is, there is two AD groups the one have access to domain network only the other group have access to internet only and may be third group that have access to both networks.Currently if i add new authorization policy the user will have access to both networks.
View 1 Replies
View Related
Jul 7, 2011
Any instructions to configure an ASA to allow authentication by certificate only on an AnyConnect vpn?I'm running an ASA 5505 with 8.4(1) and AnyConnect 2.4.7030 on an Android phone.I currently have the AnyConnect client connecting ok using username / password for authentication.
I have loaded the company root certificate (internally generated) into the ASA "CA Certificates" and generated an Identity Certificate for the ASA.
View 1 Replies
View Related
Sep 23, 2012
I am a network tech at a local school district (easily enterprise network). I am just a worker bee, so have no say in the design of the networks. Our topo at a site goes WAN rtr---LAN rtr (6500 of 3550)----distro switches----access switches.
Now at most of our sites we use Extreme, which has a handy feature called ELRP Extreme Loop Recovery Protocol, despite the name, this mechanism just detects loops, in the logs we can see, ok...off the LAN rtr, port 2, then on port 2 we see whats hanging off it...ok, loop off port 5 of that switch.....and work your way down the room.
We do not have STP on our network (dont ask) and yes, logging is not set to standards also......what is the best way to detect loops? Commonly these loops come from classrooms that have mini-sw's that are looped onto themselves or a wall jack connected to mini sw and that mini sw then connected to another wall drop going back to same sw. Sometimes I disable all ports minus the WAN uplink on the LAN router, then enabled ports one by one while having a LR hooked up to a user facing rj45 port on the 6500 and when the LR (link runner) shows 100% util, I know that port is now suspect.
View 5 Replies
View Related
Feb 21, 2011
what is the easiest method permitting a local and a remote pc to access the same database ? They both have internet access.
View 3 Replies
View Related
Jul 15, 2011
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10
[code]...
View 14 Replies
View Related
Nov 6, 2012
I have been successfully able to setup Cisco AnyConnect VPN on ASA 5520 with 8.4 code. I have set it to authenticate against the RADIUS Server (Microsoft Windows 2008 NPS server). I have noticed one thing, on the server under "Constraints and Authentication Method". I picked MS-CHAP-v2, but it is considered Less secure authentication methods. I can click on Add and choose other Authentication methods like Smart Card or other Certificate, PEAP, EAP-MSCHAP v2. I picked PEAP but then the VPN does not work.
So first of all does it really matter if I just leave it to MS-CHAP-v2? Because from my understanding is that AnyConnect will authenticate to ASA and then ASA in the backend talks to the RADIUS server so from a security stand point this scenario shouldn't it be sufficient as no un encrypted or less secure information is available to the outside world? Secondly is there any documentation on using PEAP with Cisco AnyConnect?
View 4 Replies
View Related
Mar 29, 2011
I need to move our (secondary instance, version 5-2) ACS server to a different server rack and I have not been able to find a gentle way to shut down the appliance (not the windows version). Does one exist or is it just the power button/cord?
View 2 Replies
View Related
Jun 3, 2013
We have WCS and several WLCs (WISMv1, 5508, 4402) all running the 7.0.240.0 code. The "Guest" SSID is "garden-walled" from the corp LANs. We used to have web-auth page that required ID / PW. This became unreasonable as IT Dept was getting requests at all hours for immediate access from guest / resident family memebrs. So we changed the web-auth to remove the the ID / PW and just display corp policy and have to hit a "continue" button to gain access to Guest SSID. Healthcare staff on the floor are not tech-savvy enough to want to use or perform Hotel Ambassador functions.The issue now is that we have employees with smartphones, tablets and even personal laptops conecting the Guest SSID. Sr. Mgt wants to find a way to stop the abuse.I do not believe there is any perfect solution to prevent employees from gaining access, but have been asked to find a manageable method to deter most employees from connecting to the Guest network. Looked at seing up MAC filtering in WCS, it seems that you have to enter MACs that you *allow* on to the network - by default, other MACs are blocked. I would rather have the template block the MACs listed in the csv file and allow access as the default.. We have several SSIDs. Our corporate SSID uses 802.1x and we use Microsoft Server 2012 Network Policy Server (RADIUS) to pass user ID / PW to our AD for authentication. We do not have Cisco ACS. I am not sure if integrating RADIUS is the answer here either. I have had some webex sessions on ISE, NCS, and Prime infrastructure. We are only interested at the moment to monitor / control access to Guest. I have been told that ISE will have "sponsorship" functionality added in soon -- where user fills out info and ID / PW is sent via text or email to a cell phone or other device.
View 2 Replies
View Related
Jun 19, 2012
We have cisco wireless network throught the whole 8-floor building on Cisco WLC 4402 and Cisco LAP-1242 AP. There are no coverage holes, but sometimes clients are flapping between two access points at different floors with serious loss in throughput. Is there any method to limit roaming between different floors in the building?
View 7 Replies
View Related
Dec 26, 2011
How Can i Connect two switches 4505 using the trunking method,…
View 1 Replies
View Related
Feb 7, 2012
I´m facing to one issue with VACL. i have a network lan with 10.40.X.X/16 . in this network i have a Production v LAN 10 with 10.40.10.X/24 and i have created one vlan103 for Guest´ user as 10.40.103.X/24
My goals is to restrict the v LAN 103 to reach or access the v LAN 10, better to restrict Guest user access to the production v LAN. So i try to put this script with VACL method, but does n´t work.
Extended IP access list Restriction-Guest
10 permit ip 10.40.103.0 0.0.0.255 any
vlan access-map Guest 10
action drop match ip address Restriction-Guest
vlan filter Guest vlan-list 10
After that i still able to ping or access to the v LAN 10 form v LAN 103.
View 4 Replies
View Related
Jul 10, 2012
Any method to renumber a FEX without causing service disruption?
1) Preprovisioning the new FEX number
2) Mirror the config
3) Change the FEX association on the FEX downlink ports on the 5548
but I'm certain this will cause a disruption to the connected hosts ports which are in production on the FEX?
View 2 Replies
View Related
Aug 8, 2012
I'm configuring AP in Hreap mode. Objective for me is th have a "plug & play" installation method for HREAP. I configure on HREAP AP, Native VLAN set to 1 and the WLAN and Vlan mapping for the current wlan is set to 1 too. WLC version is 7.0.230.0 and AP version is 12.4(23c)JA4
on my cisco switch (WS-C3560-24PS with 12.2(55)SE1), the port configuration is as below:
switchport trunk encapsulation dot1q
switchport trunk native vlan 45
switchport trunk allowed vlan 45,74
switchport mode trunk
no logging event link-status
no logging event power-inline-status
no snmp trap link-status
spanning-tree portfast trunk
spanning-tree bpduguard enable
AP receives a DHCP IP in Vlan 45 and users connected in vlan 45 too. I would like to undestand why the AP is working properly because normally vlan 1 is not configured as allowed vlan on my switch and the native vlan is dedicated only to untagged ethernet packet.
View 1 Replies
View Related
Oct 16, 2011
I have a Cisco 3560 running as a Level3 device in my network running 10 V LANs and routing between most of them (nothing complex with ACLs) and running spanning-tree mode pvst. The main network is run on a net gear GS748TPS stack of three switches running MSTP.
I have just bought an additional 3560 and a 2960 to plug in. I have set them up with IP addresses and then plugged them into the net gear. This brought the whole network down until I unplugged the new switches.
I have confirmed the IP addresses aren't duplicated and that DHCP is not running on the switches so I can only assume it's something to do with DHCP. I cannot afford for the network to go offline again, so is there anything I should check? Am I running incompatible spanning tree methods between the net gear and Cisco devices?
View 28 Replies
View Related
Jan 9, 2012
Any method of forcing a non connected switch port LED to blink for a certain number of times regardless if there is anything connected.The purpose of this is we have remote 3750 switch stacks and quite often have to tell non technical staff to patch to a certain port. It would be much easier if we could say "Connect it to the empty port which just started blinking orange" as the port numbers are difficult for them to see in these locations.A similar feature is available in the ethtool package for linux which makes it really easy for identifying ports on servers. It would be great if a similar feature is available on Cisco switches.
View 2 Replies
View Related
Aug 1, 2011
What is the best method (the one that works) to connect the E3000 with the SPA2102 phone adapter? Or, is it not possible?
View 9 Replies
View Related
Oct 21, 2012
After a storm in my neighborhood my wireless router was reset. It is a wrt54g purchased in 2007. I had to reinstall the Easy Link Advisor from the net because the disk I had did not work with Windows 7. Everything went OK, however, I am not able to add a password. I keep getting the following error message: Error Updating Devise The Method or Operation is not Implemented. How do I get around this issue and install some sort of security for my home network?My wireless network was named genesis50 now it went back to linksys. How do I change the name back? The hard wired system still shows as genesis50.
View 2 Replies
View Related
Jul 30, 2012
This is my second post today trying to fix the NAT types for my 2 xbox 360. I tried the port forwarding method but with this router when I enable the ports I lost internet access in my wired devices but my wireless devices still have internet access. I even lost internet access on my computer. I never had manu problems with a router trying to get my NAT type open on my 2 xbox.
View 6 Replies
View Related
Nov 1, 2011
I have a client that has 3 AP541N's and they want to enable guest wireless access. However, their VOIP provider has their managed switches locked down so we can't add VLANs, etc.So I cannot touch the switch or router config on this LAN.
Looking into AP541N documentation I see VAPs mentioned, can I enable those and have secure guest wireless access with the same private IPs that the rest of the LAN use right now? (That is, the employees are 192.168.2.x and the guest wireless users would also be 192.168.2.x.)
Or do I need to do something else to properly enable guest wireless? Like add another piece of equipment? I did try to add a Cisco RVS4000 to the mix but it wouldn't pass the VLAN across the switches that I setup for the guest wireless SSID. goal is to leave the switch and router in place, and work with the AP541N's that I have and get secure guest wireless.
View 1 Replies
View Related
Jul 28, 2012
Where can i find my wep encryption key?
View 1 Replies
View Related
Nov 30, 2012
Is it possible to have a 64 bit and 128 bit encryption key activated on the same router at the same time - one for laptop and one for wireless printer
View 1 Replies
View Related
Jun 23, 2012
I need to locate my encryption key.
View 1 Replies
View Related
Oct 7, 2011
how IPSEC VPN works but i hit a stumbling block understanding symmetric encryption keys.Here is my understanding about the process
1.Peers will negotiate plocies
2.Authenticate using pre-shared or certificates
3.Exchange DH Public Keys
4.Using Public keys encrypt symmetric key and exchange the same key which will be useful for communication
5.maintain sessions
But when we are configuring we will define encryption keys in isakmp phase and ipsec transform set ,i thought we will use the same encryption key for both management and data communication in fact i thought management phase is to give us a securely exchanged encryption key for the data tunnel.But we can use 2 different encryption keys in 2 phase i am bit confused.
View 3 Replies
View Related
