DMVPN – Migrating encryption from 3DES to AES 256

Cisco, DMVPN / October 15, 2015

Follow steps to migrate from 2DES to AES 256

  1. Create keyring normally
  2. Create an ISAKMP policy for AES 256
  3. Create an ISAKMP policy for 3DES (or vise versa)
  4. Create ISAKMP profile with matching keyring and identity address
  5. Create Transform-set for 3DES
  6. Create Transform-set for AES 256(or vise versa)
  7. Create IPSec profile with both transform-set listed (the client will choose the other if one fails)
  8. Add ISAKMP profile to IPSec profile
  9. Apply new IPSec profile to tunnel interfaces


crypto keyring DMVPN_KEY
pre-shared-key address 0.0.0.0 0.0.0.0 key MYTEKNOTES-PSK
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp profile DMVPN_ISA
keyring DMVPN_KEY
match identity address 0.0.0.0
!
crypto ipsec transform-set 3DES_TRANS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec transform-set AES_TRANS esp-aes 256 esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN_IPS
set transform-set AES_TRANS 3DES_TRANS
set isakmp-profile DMVPN_ISA
!
end