Controller Based WLANs

How do I change the default encryption method from 3DES to AES in phase 1 and 2 of the RAP VPN tunnel?

Product and Software: This article applies to ArubaOS 3.x and later.

 

DES encrypts data in 64-bit block size and effectively uses a 56-bit key. 56-bit key space amounts to approximately 72 quadrillion possibilities. Even though it seems large, considering today's computing power, it is not sufficient and is vulnerable to brute force attack. Therefore, DES could not keep up with advancement in technology and it is no longer appropriate for security.

 

Because DES was widely used, 3DES was introduced next, which is secure enough for most purposes today. 3DES is a construction of applying DES three times in sequence. 3DES with three different keys (K1, K2, and K3) has an effective key length of 168 bits. (The use of three distinct key is recommended of 3DES.) Another variation, called two-key 3DES (K1 and K3 are the same), reduces the effective key size to 112 bits, which is less secure. Two-key 3DES is widely used in electronic payments industry. 3DES takes three times as much CPU power than compared with its predecessor, which is significant performance hit. AES outperforms 3DES in software and in hardware.

 

The Rijndael algorithm has been selected as the Advance Encryption Standard (AES) to replace 3DES. AES is a modified version of the Rijndael algorithm. The basic evaluation criteria for AES is:

 

  • security
  • software and hardware performance
  • suitability in restricted-space environments
  • resistance to power analysis and other implementation attacks

 

 

The combination of security, performance, efficiency, implementability, and flexibility made Rijndael an appropriate selection for the AES.

 

By design, AES is faster in software and works efficiently in hardware. It works fast even on small devices, such as smart phones and smart cards. AES provides more security due to larger block size and longer keys. AES uses 128-bit fixed block size and works with 128-, 192-, and 256-bit keys. The Rijndael algorithm in general is flexible enough to work with key and block size of any multiple of 32 bit with minimum of 128 bits and maximum of 256 bits.

 

To change the encryption method in phase 1 from the default 3DES to AES, create a new policy with high priority:

 

(Aruba) #configure ter

(Aruba)(config) #crypto isakmp policy 1

(Aruba) (config-isakmp)# encryption AES256

(Aruba)(config-isakmp)# authentication pre-share

(Aruba) (config-isakmp)# hash sha

(Aruba) (config-isakmp)# group 2

 

To change the encryption method in phase 2 from the default 3DES to AES, create a new policy named default-aes:

 

(Aruba) #configure t

(Aruba) (config) #crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

(Aruba) (config) #crypto dynamic-map default-dynamicmap 10000

(Aruba) (config-dynamic-map)# set transform-set default-aes

(Aruba) (config-dynamic-map)# end

(Aruba) #write mem

 

Also clear the crypto isakmp and ipsec counters, which will re-establish the sessions.

 

The following samples show the output after changing the encryption method from 3DES to AES:

 

(Aruba) #show crypto isakmp sa

Initiator IP: 172.16.0.254

Responder IP: 10.130.226.166

Initiator: No

Initiator cookie:75b0226d1abff80d Responder cookie:f18f8c1197e32cb3

SA Creation Date: Fri May 8 17:55:52 2009

Life secs: 28800

Initiator Phase1 ID: ipv4/172.16.0.254

Responder Phase1 ID: ipv4/10.130.226.166

Exchange Type: Main mode

Phase1 Transform: EncAlg:AES HashAlg:SHA DHGroup:#2(1024 bit)

Authentication method: Pre-Shared Key

IPSEC SA Rekey Number: 0

Aruba AP

Reference count: 2

 

 

(Aruba800) #show crypto ipsec sa

Initiator IP: 172.16.0.254

Responder IP: 10.130.226.166

Initiator: No

Initiator cookie:e03e0b3e40cd7988 Responder cookie:53b42bf5ba9de9e0

SA Creation Date: Fri May 8 17:56:14 2009

Life secs: 7200

Initiator Phase2 ID: 172.16.0.254/255.255.255.255

Responder Phase2 ID: 10.130.226.166/255.255.255.255

Phase2 Transform: EncAlg:esp-aes256 HMAC:esp-sha-hmac

Encapsulation Mode:Transport

PFS: No

OUT SPI 779d7800, IN SPI a8fe4100

L2TP tunnel ID = 7, remote id = 452, innerIP = 1.1.1.7

Aruba AP

Reference count: 3

Version history
Revision #:
1 of 1
Last update:
‎06-30-2014 07:53 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.