1. Home
  2. Cisco Systems
  3. Diffie Hellman

Diffie Hellman

VPN 3000 guide says that

"Group 5 (1536-bits) is the default choice for use with the AES encryption algorithms. It works only for LAN-to-LAN connections, and for clients using certificates".

but then it also says that one of the default IKE proposals is:

"CiscoVPNClient3DES-MD5-DH5 = Use preshared keys (XAUTH) and MD5/HMAC-128 for authentication. Use 3DES-168 encryption. Use D-H Group 5 to generate SA keys. This selection allows XAUTH user-based authentication"

Does this mean that this particular proposal can be used only for LAN-to-LAN connections or is there something I'm missing?

Thank you

Reply to
profile0104
Loading thread data ...

"CiscoVPNClient3DES-MD5-DH5" is intended for remote access VPNs. This policy uses XAUTH for remote access *user* authentication (IPsec peer [*device*] authentication takes place during IKE phase 1), and is designed to be used with either the Cisco VPN client or hardware client such as Easy VPN on IOS (EzVPN).

If you really want to use group 5 (or any other group), you can, of course, modify one of the standard policies or create your own policy by going to Configuration > Tunneling and Security > IPSec > IKE Proposals, and selecting a proposal and clicking 'modify' (to modify an existing IKE policy), or clicking 'Add' and creating your own bespoke policy (note that the XAUTH/CRACK/HYBRID modes of authentication are intended for remote access, not LAN-to-LAN).

Here's some more info on the subject of authentication, including XAUTH/CRACK/HYBRID:

formatting link
Hope that helps,

Mark

CCIE#6280 / CCSI#21051 / JNCIS#121 / etc.

Author:

formatting link

Reply to
mark

Thank you for your help Mark, but there's still something I don't understand.

The guide says: "..Group 5...works only for LAN-to-LAN connections, and clients using certificates.." and then it gives an example of a default IKE proposal which uses DH5 for clients using preshared keys. Wasn't DH5 supposed to work with certificates only?

Bye

snipped-for-privacy@mjlnet.com wrote:

Reply to
profile0104

yeah group 5 is only meant for certs.

Reply to
rave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.