Old ass IPSEC



  • Prior employer just called. Their ancient router (Cisco Pix) is puking and they want me to resolve.

    Told them they can get an EdgeRouter and it can talk IPSEC to their other places (also various ancient Cisco) until those are replaced too.

    Well unfortunately their stuff has been unchanged since before I was there in 2007. All of the VPN tunnels are MD5 & DES.

    The EdgeRouter basically says screw you to that.

    [email protected]# set vpn ipsec ike-group Test proposal 1 encryption DES
    must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des
    
    Value validation failed
    Set failed
    [edit]
    [email protected]# 
    


  • Wow



  • Current Example:

    crypto isakmp policy 1
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key ShortPSK address 24.XXX.XXX.XXX
    crypto isakmp keepalive 20 10
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    !
    crypto map trinetmap 10 ipsec-isakmp
     set peer 24.XXX.XXX.XXX
     set transform-set myset
     match address 110
    !
    access-list 110 remark tunnel to Main HQ
    access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.1.0 0.0.0.255
    access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.7.0 0.0.0.255
    

    And yes that is a non-private IP on the LAN side (130.X.X.X). I actually figured out there that came from back when I worked there. The original Netware 4 Administrator books specifically used the 130 network in all their examples for adding TCP/IP. This company was all IPX/SPX in the 90's.



  • The esp-group encryption also, but it at least still does MD5 hash.

    [email protected]# set vpn ipsec esp-group Test proposal 1 encryption 
    3des          aes128        aes128gcm128  aes256        aes256gcm128  
    [edit]
    [email protected]# set vpn ipsec esp-group Test proposal 1 hash       
    md5     sha1    sha256  sha384  sha512  
    [edit]