Old ass IPSEC

JaredBusch

Prior employer just called. Their ancient router (Cisco Pix) is puking and they want me to resolve.

Told them they can get an EdgeRouter and it can talk IPSEC to their other places (also various ancient Cisco) until those are replaced too.

Well unfortunately their stuff has been unchanged since before I was there in 2007. All of the VPN tunnels are MD5 & DES.

The EdgeRouter basically says screw you to that.

jbusch@jared# set vpn ipsec ike-group Test proposal 1 encryption DES
must be aes128, or aes128gcm128, or aes256, or aes256gcm128, or 3des

Value validation failed
Set failed
[edit]
jbusch@jared# 

scottalanmiller

Wow

JaredBusch

Current Example:

crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ShortPSK address 24.XXX.XXX.XXX
crypto isakmp keepalive 20 10
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map trinetmap 10 ipsec-isakmp
 set peer 24.XXX.XXX.XXX
 set transform-set myset
 match address 110
!
access-list 110 remark tunnel to Main HQ
access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.1.0 0.0.0.255
access-list 110 permit ip 130.1.11.0 0.0.0.255 130.1.7.0 0.0.0.255

And yes that is a non-private IP on the LAN side (130.X.X.X). I actually figured out there that came from back when I worked there. The original Netware 4 Administrator books specifically used the 130 network in all their examples for adding TCP/IP. This company was all IPX/SPX in the 90's.

JaredBusch

The esp-group encryption also, but it at least still does MD5 hash.

jbusch@jared# set vpn ipsec esp-group Test proposal 1 encryption 
3des          aes128        aes128gcm128  aes256        aes256gcm128  
[edit]
jbusch@jared# set vpn ipsec esp-group Test proposal 1 hash       
md5     sha1    sha256  sha384  sha512  
[edit]