Follow steps to migrate from 2DES to AES 256
- Create keyring normally
- Create an ISAKMP policy for AES 256
- Create an ISAKMP policy for 3DES (or vise versa)
- Create ISAKMP profile with matching keyring and identity address
- Create Transform-set for 3DES
- Create Transform-set for AES 256(or vise versa)
- Create IPSec profile with both transform-set listed (the client will choose the other if one fails)
- Add ISAKMP profile to IPSec profile
- Apply new IPSec profile to tunnel interfaces
crypto keyring DMVPN_KEY
pre-shared-key address 0.0.0.0 0.0.0.0 key MYTEKNOTES-PSK
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp profile DMVPN_ISA
keyring DMVPN_KEY
match identity address 0.0.0.0
!
crypto ipsec transform-set 3DES_TRANS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec transform-set AES_TRANS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_IPS
set transform-set AES_TRANS 3DES_TRANS
set isakmp-profile DMVPN_ISA
!
end