Old ass IPSEC
-
Prior employer just called. Their ancient router (Cisco Pix) is puking and they want me to resolve.
Told them they can get an EdgeRouter and it can talk IPSEC to their other places (also various ancient Cisco) until those are replaced too.
Well unfortunately their stuff has been unchanged since before I was there in 2007. All of the VPN tunnels are MD5 & DES.
The EdgeRouter basically says screw you to that.
jbusch@jared# set vpn ipsec ike-group Test proposal 1 encryption DES must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des Value validation failed Set failed [edit] jbusch@jared#
-
Wow
-
Current Example:
crypto isakmp policy 1 hash md5 authentication pre-share group 2 crypto isakmp key ShortPSK address 24.XXX.XXX.XXX crypto isakmp keepalive 20 10 ! ! crypto ipsec transform-set myset esp-des esp-md5-hmac ! crypto map trinetmap 10 ipsec-isakmp set peer 24.XXX.XXX.XXX set transform-set myset match address 110 ! access-list 110 remark tunnel to Main HQ access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.1.0 0.0.0.255 access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.7.0 0.0.0.255
And yes that is a non-private IP on the LAN side (130.X.X.X). I actually figured out there that came from back when I worked there. The original Netware 4 Administrator books specifically used the 130 network in all their examples for adding TCP/IP. This company was all IPX/SPX in the 90's.
-
The esp-group encryption also, but it at least still does MD5 hash.
jbusch@jared# set vpn ipsec esp-group Test proposal 1 encryption 3des aes128 aes128gcm128 aes256 aes256gcm128 [edit] jbusch@jared# set vpn ipsec esp-group Test proposal 1 hash md5 sha1 sha256 sha384 sha512 [edit]