In article , ESM wrote: :The samples I used to setup VPN Client connecting to a PIX have me use :esp-des and esp-md5-hmac for the ipsec transform-set on the and des/md5 for :isakmp on the PIX
:Is 3des supported for ipsec and isakmp settings with the 4.6 version of the :VPN client?
Yes.
:Are any more advanced forms of ecnryption supported, such as :AES?
Yes. AES 128, AES 256 as of PIX 6.3
Examples: crypto ipsec transform-set vpn-3-transform ah-sha-hmac esp-3des esp-sha-hmac crypto ipsec transform-set vc-ea256s esp-aes-256 esp-sha-hmac isakmp policy 7 authentication pre-share isakmp policy 7 encryption aes-256 isakmp policy 7 hash sha isakmp policy 7 group 5 isakmp policy 7 lifetime 86400 isakmp policy 8 authentication pre-share isakmp policy 8 encryption 3des isakmp policy 8 hash sha isakmp policy 8 group 2 isakmp policy 8 lifetime 86400
Notes:
- you need a new license key to activate anything higher than single DES. This key activates 3DES in 6.2, and both 3DES and AES in 6.3.
- it is suggested that one use group 5 for AES
- it is recommended that you use MD5 only for single DES
- oddly, in 6.3, single DES + SHA is not supported (this is not documented but will show up if you try to create the transform)
- in 7.0, one of MD5 or SHA appears to go away according to the documentation; I don't remember which at the moment