VPN Client compatible crypto

The samples I used to setup VPN Client connecting to a PIX have me use esp-des and esp-md5-hmac for the ipsec transform-set on the and des/md5 for isakmp on the PIX

Is 3des supported for ipsec and isakmp settings with the 4.6 version of the VPN client? Are any more advanced forms of ecnryption supported, such as AES?

Reply to
ESM
Loading thread data ...

In article , ESM wrote: :The samples I used to setup VPN Client connecting to a PIX have me use :esp-des and esp-md5-hmac for the ipsec transform-set on the and des/md5 for :isakmp on the PIX

:Is 3des supported for ipsec and isakmp settings with the 4.6 version of the :VPN client?

Yes.

:Are any more advanced forms of ecnryption supported, such as :AES?

Yes. AES 128, AES 256 as of PIX 6.3

Examples: crypto ipsec transform-set vpn-3-transform ah-sha-hmac esp-3des esp-sha-hmac crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac isakmp policy 7 authentication pre-share isakmp policy 7 encryption aes-256 isakmp policy 7 hash sha isakmp policy 7 group 5 isakmp policy 7 lifetime 86400 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400

Notes:

- you need a new license key to activate anything higher than single DES. This key activates 3DES in 6.2, and both 3DES and AES in 6.3.

- it is suggested that one use group 5 for AES

- it is recommended that you use MD5 only for single DES

- oddly, in 6.3, single DES + SHA is not supported (this is not documented but will show up if you try to create the transform)

- in 7.0, one of MD5 or SHA appears to go away according to the documentation; I don't remember which at the moment

Reply to
Walter Roberson

My typical PIX -> Concentrator setup uses esp-3des esp-md5-hmac for ipsec and isakmp as 3des/md5/group2?

You mention it's only recommended to use md5 with des, but not 3des? Are you talking about the isakmp settings, or as it also related to ipsec ? So should I use 3des/sha/group2 for isakmp, instead of my usual

3des/md5/groups2 ?

Reply to
ESM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.