Secure Network Management: Setting Up SSH on Cisco Routers

SSH (Secure Shell) is a widely-used protocol for securing remote access to devices, including Cisco routers. Over time, Cisco IOS has evolved, bringing updates and enhancements to the way SSH is implemented and configured. This article explores the differences in configuring SSH on older versus newer Cisco platforms, providing insights into changes that can impact administrators managing network security.

---

### **Setting the Foundation: Basic SSH Configuration**

The steps for setting up SSH on a Cisco router generally follow a consistent flow:

1. **Set the Hostname**

   A unique hostname is required to create the SSH key.

   Router(config)# hostname Router1

2. **Specify a Domain Name**

   A domain name is necessary for generating RSA keys.

   Router(config)# ip domain-name example.com

3. **Generate RSA Keys**

   RSA key generation is essential for encrypting SSH traffic.

   Router(config)# crypto key generate rsa

   Key size determines the strength of encryption. A larger key size provides stronger encryption but takes longer to compute. Modern configurations often recommend a minimum key size of 2048 bits for enhanced security.

4. **Configure SSH Parameters**

   Adjust parameters like timeout and authentication retries to secure access.

   Router(config)# ip ssh time-out 120

   Router(config)# ip ssh authentication-retries 4

---

### **Key Differences in Modern SSH Configuration**

#### **1. Default SSH Version**

In older setups, the default SSH version may have been SSH 1.x, which is less secure and outdated. Administrators needed to explicitly enable SSH Version 2:

Router(config)# ip ssh version 2

Modern implementations default to SSH Version 2, eliminating the need for manual configuration. This ensures stronger encryption and improved compatibility out of the box.

---

#### **2. RSA Key Size Requirements**

Older configurations often allowed RSA key sizes as small as 360 bits, with 512 bits being the default. For example:

Router(config)# crypto key generate rsa

How many bits in the modulus [512]: 1024

In current implementations, the minimum key size has increased to 1024 bits, and best practices recommend using 2048 bits or higher to align with modern security standards. Smaller key sizes are no longer supported, reducing the risk of weak encryption.

---

#### **3. Encryption Algorithms**

Modern SSH implementations support advanced encryption algorithms, including AES-256 and other stronger ciphers. Older versions relied on less secure algorithms that are now considered vulnerable. While the configuration commands remain similar, newer systems ensure robust encryption without requiring manual adjustments.

---

#### **4. Enhanced Logging and Debugging**

Recent versions provide more detailed logging for SSH operations. For example, enabling SSH might generate the following message:

%SSH-5-ENABLED: SSH 2.0 has been enabled

This feedback makes it easier for administrators to verify the protocol version and confirm successful configuration.

---

#### **5. IPv6 Support**

Older systems primarily focused on IPv4, while newer implementations include native support for IPv6. This ensures SSH can be configured and accessed in dual-stack environments seamlessly:

Router(config)# ipv6 ssh server enable

---

### **Best Practices for Secure SSH Configuration**

1. **Use Strong Encryption**

   Always use RSA keys of at least 2048 bits. Modern platforms may support even larger keys for heightened security.

2. **Restrict Access**

   Use access control lists (ACLs) to limit SSH access to specific IP addresses.

3. **Implement User Authentication**

   Leverage local user accounts or integrate with an authentication server for secure login credentials:

   Router(config)# username admin privilege 15 secret strongpassword

4. **Regularly Update Firmware**

   Keep your router’s software updated to benefit from the latest SSH enhancements and security patches.

---

### **Conclusion**

SSH has become a cornerstone of secure network management, and its configuration on Cisco routers has evolved significantly. Modern implementations emphasize stronger encryption, default to secure settings, and offer better tools for monitoring and troubleshooting. By understanding these changes, administrators can ensure their networks are both secure and compliant with current standards.

Configuring Site-to-Site IPSec VPN with Aggressive Mode on Cisco Routers (Old vs New IOS)

Key Takeaway: Aggressive Mode is faster but less secure than Main Mode. It is mainly used when one side has a dynamic IP.

Table of Contents

• Introduction
• What is Aggressive Mode?
• Crypto Math Explained
• Old IOS Configuration
• New IOS Configuration
• Verification & CLI Output
• Troubleshooting
• Related Articles

Introduction

IPSec VPNs are used to securely connect two networks over an untrusted network like the internet.

Aggressive Mode is a type of IKE Phase 1 negotiation that completes faster than Main Mode but exposes identity early.

What is Aggressive Mode?

Aggressive Mode reduces the number of message exchanges from 6 (Main Mode) to 3.

Deep Explanation

It sends identity information in clear text early in the exchange, making it faster but less secure.

Crypto Math (Simple Explanation)

IPSec uses encryption and hashing.

Encryption (Confidentiality)

Ciphertext = Encrypt(Plaintext, Key)

👉 Converts readable data into unreadable form.

Hashing (Integrity)

Hash = H(Data)

👉 Ensures data is not modified.

Key Exchange (Diffie-Hellman Simplified)

Shared Key = (Public Key ^ Private Key) mod p

👉 Both sides generate the same key without sending it directly.

Important: Security in IPSec comes from math — encryption + hashing + key exchange.

Old IOS Configuration

Router 1 Config

crypto isakmp policy 10 encr aes hash sha authentication pre-share group 2 crypto isakmp key cisco123 address 2.2.2.2 crypto isakmp profile AGGR match identity address 2.2.2.2 keyring default self-identity address crypto ipsec transform-set TS esp-aes esp-sha-hmac crypto map VPN 10 ipsec-isakmp set peer 2.2.2.2 set transform-set TS match address 100 interface Gig0/0 crypto map VPN

New IOS Configuration (Post 15.9)

Modern Configuration

crypto ikev1 policy 10 encryption aes hash sha authentication pre-share group 2 crypto ikev1 enable Gig0/0 crypto ikev1 profile AGGR match identity remote address 2.2.2.2 authentication remote pre-share authentication local pre-share keyring local KR crypto ipsec profile IPSEC-PROFILE set transform-set TS interface Tunnel0 tunnel protection ipsec profile IPSEC-PROFILE

Verification & CLI Output

Commands

show crypto isakmp sa show crypto ipsec sa

Sample Output

Router# show crypto isakmp sa dst src state conn-id 2.2.2.2 1.1.1.1 QM_IDLE 1001

IKE Phase 1 Aggressive Mode Packet Flow (Step-by-Step)

Aggressive Mode completes Phase 1 in just 3 messages, unlike Main Mode which uses 6.

Key Idea: Faster negotiation = fewer messages, but identity is exposed early.

Message Flow Breakdown

Message 1 (Initiator → Responder)

• Encryption algorithms
• Hash algorithm
• DH group
• Identity (EXPOSED)
• Public key (DH)

Message 2 (Responder → Initiator)

• Selected proposal
• Responder identity
• Public key
• Hash

Message 3 (Initiator → Responder)

• Authentication (hash)
• Confirms shared key

Why Aggressive Mode is Less Secure

• Identity sent in plaintext
• Susceptible to dictionary attacks
• No identity protection

Important: Always prefer Main Mode unless dynamic IP is involved.

Aggressive Mode vs Main Mode

Feature	Aggressive Mode	Main Mode
Messages	3	6
Speed	Fast	Slower
Security	Lower	Higher
Identity Protection	No	Yes
Use Case	Dynamic IP	Static IP

Deep Crypto Math (CCNP Simplified)

Diffie-Hellman Key Exchange

Shared Secret = (g^a mod p)^b mod p

👉 Both peers generate the same key without sending it over the network.

Simple Analogy

Think of mixing colors:

• Public color = shared
• Private color = secret
• Final mix = shared secret

Hash Authentication

HASH = H(Shared Key + Data)

👉 Ensures both sides have the same key and data is not altered.

Real Debug Output Analysis

Command

debug crypto isakmp

Sample Output

ISAKMP:(0):Aggressive mode peer = 2.2.2.2 ISAKMP:(0): processing SA payload ISAKMP:(0): processing KE payload ISAKMP:(0): processing ID payload ISAKMP:(0): SA established

Explanation (Line-by-Line)

• processing SA payload → Negotiating encryption settings
• processing KE payload → Diffie-Hellman exchange
• processing ID payload → Identity exchange (visible!)
• SA established → Tunnel is ready

Wireshark-Level Understanding (Without Tool)

If you captured packets, you would see:

• UDP 500 traffic
• IKE messages in 3 steps
• Identity visible in packet 1

Key Insight: Aggressive Mode exposes identity in the first packet itself.

Interview Questions (Very Important)

Click to Expand

Q1: Why is Aggressive Mode insecure?

Because identity is sent in plaintext and fewer exchanges reduce protection.

Q2: When should you use Aggressive Mode?

When one side has a dynamic IP.

Q3: Difference between Phase 1 and Phase 2?

Phase 1 establishes secure channel, Phase 2 protects data traffic.

Q4: What is QM_IDLE?

Indicates Phase 2 is complete and tunnel is active.

Q5: Common failure reason?

Pre-shared key mismatch or ACL mismatch.

Advanced Troubleshooting Tips

• Check NAT-T (UDP 4500)
• Verify ISAKMP policies match
• Check transform-set mismatch
• Ensure interesting traffic ACL is correct

show crypto session show crypto ikev1 sa

Final CCNP Takeaway: Aggressive Mode is a trade-off — speed vs security. Know when to use it and how it works internally.

Troubleshooting

• Check pre-shared key mismatch
• Verify ACLs
• Check NAT issues
• Use debug commands

debug crypto isakmp debug crypto ipsec

Related Articles

• IPSec VPN with PKI
• Basic VPN with NAT
• EasyVPN Guide
• IKE Phase 2 ASA
• EasyVPN NEM
• PKI Dynamic VPN

Conclusion

Aggressive Mode is useful in dynamic IP scenarios but should be used carefully due to security trade-offs.

Final Tip: Use Main Mode whenever possible. Use Aggressive Mode only when required.