1. Home
  2. Cisco Systems
  3. PIX VPN: how to remove AH (Authentication Header)?

PIX VPN: how to remove AH (Authentication Header)?

Hello,

Pix software 7.0.2: we realized that with our VPN setup, clients behind NAT/PAT routers have problems because of AH (Header Authentication). Where in the config do I disable AH? Here is the relevant part of the config:

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address testlist crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 40 authentication pre-share isakmp policy 40 encryption 3des isakmp policy 40 hash md5 isakmp policy 40 group 2 isakmp policy 40 lifetime 86400 isakmp nat-traversal 20 isakmp ipsec-over-tcp port 10000 tunnel-group DefaultRAGroup type ipsec-ra tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS tunnel-group mpivpn type ipsec-ra tunnel-group mpivpn general-attributes address-pool adpool authentication-server-group (outside) RADIUS default-group-policy mpivpn tunnel-group mpivpn ipsec-attributes pre-shared-key xxxxx

Regards, Christoph Gartmann

Reply to
Christoph Gartmann
Loading thread data ...

In article , Christoph Gartmann wrote: :Pix software 7.0.2: we realized that with our VPN setup, clients behind NAT/PAT :routers have problems because of AH (Header Authentication). Where in the :config do I disable AH? Here is the relevant part of the config:

:isakmp nat-traversal 20

That should take care of any difficulties with using NAT/PAT with AH, provided that UDP 4500 is allowed to pass through the network.

:crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac :crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac :crypto dynamic-map outside_dyn_map 20 match address testlist :crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

You aren't using AH, only 3DES MD5 without AH -- for LAN to LAN connections at least. Some of the parameters you quoted further down suggests to me that your clients are connecting using EzVPN rather than site-to-site LANs, and the parameters for them might be different. Still, the isakmp nat-traversal should take care of the AH problem for the Cisco Unity (VPN) Client as well [provided 4500 can get through.]

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.