encryption [aes|3des|des]
Specifies the encryption algorithm to use for IPsec phase 1 (ISAKMP) proposals, ensuring confidentiality of key management traffic.
encryption [aes|3des|des]When to Use This Command
- Configuring a site-to-site VPN between two branch offices requiring AES-256 encryption for security compliance.
- Setting up a remote-access VPN for employees where the VPN concentrator must support 3DES for legacy client compatibility.
- Migrating from DES to AES in a production VPN to meet updated security standards without disrupting existing tunnels.
- Creating multiple ISAKMP policies with different encryption strengths to match peer capabilities during VPN negotiation.
Command Examples
Configure ISAKMP policy with AES-256 encryption
crypto isakmp policy 10
encryption aes 256
authentication pre-share
group 5
lifetime 86400crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 86400
The command 'encryption aes 256' sets the encryption algorithm to AES with a 256-bit key. The output shows the policy configuration after entering the commands. 'encr aes 256' confirms the encryption setting. 'authentication pre-share' sets the authentication method. 'group 5' specifies the Diffie-Hellman group. 'lifetime 86400' sets the SA lifetime in seconds.
Configure ISAKMP policy with 3DES encryption
crypto isakmp policy 20
encryption 3des
authentication rsa-sig
group 2
lifetime 3600crypto isakmp policy 20 encr 3des authentication rsa-sig group 2 lifetime 3600
The command 'encryption 3des' sets the encryption algorithm to 3DES. The output shows the policy with 'encr 3des'. 'authentication rsa-sig' uses RSA signatures. 'group 2' is a weaker DH group. 'lifetime 3600' sets a shorter lifetime.
Understanding the Output
The output of 'show crypto isakmp policy' displays each configured ISAKMP policy with its parameters. The 'encr' field shows the encryption algorithm (e.g., 'aes 256', '3des', 'des'). A missing or incorrect encryption setting can cause negotiation failures. In a real network, ensure both peers have matching encryption algorithms. Good values are 'aes 256' or 'aes 192' for strong security; 'des' is weak and should be avoided. Watch for mismatched policies that could prevent VPN establishment.
CCNA Exam Tips
CCNA exam tip: The encryption command is configured in ISAKMP policy configuration mode, not global config.
CCNA exam tip: AES is the strongest encryption; DES is deprecated and rarely used in modern networks.
CCNA exam tip: For the exam, remember that both peers must have at least one matching ISAKMP policy (including encryption) to form a VPN.
CCNA exam tip: The default ISAKMP policy uses DES encryption; you must explicitly configure stronger encryption for security.
Common Mistakes
Mistake 1: Using 'encryption aes' without specifying key size (defaults to 128-bit, which may be insufficient).
Mistake 2: Configuring encryption in global config mode instead of ISAKMP policy config mode, causing syntax error.
Mistake 3: Forgetting to match encryption algorithms between peers, leading to 'no proposal chosen' errors.
Related Commands
crypto ipsec transform-set [name] esp-aes esp-sha-hmac
Defines an IPsec transform set specifying the encryption and authentication algorithms to protect VPN traffic, used when configuring an IPsec VPN policy.
crypto isakmp policy [priority]
Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions