Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
545
Views
0
Helpful
3
Replies

DES vs 3DES

ncosmetic
Level 1
Level 1

‎06-03-2002 10:44 PM - edited ‎03-08-2019 10:50 PM

I have strange problem with vpn client 3.5.2 when connecting to PIX 6.0

when I use pre-share auth I can use DES encription. When I configure client to use MS certificate DES policy is not sent via IKE but only 3DES and PIX does not find a match. MS guys say that there certificate services have nothing to do with it and that client certificate does not contain any info about encryption level. Is there any way to solve it rather then updating PIX to use 3DES. DES would be more then enough for me.

Labels:
0 Helpful
3 Replies 3

r.nair
Level 1
Level 1

‎06-04-2002 06:08 AM

Please check whether you have any IKE proposals defined for DES/MD5 or SHA / Digital Certificate combination in PIX.

If you post the relevant configuration, it would be easy to provide a correct response.

0 Helpful

ncosmetic
Level 1
Level 1
In response to r.nair

‎06-05-2002 04:49 AM

Sure I have. Config is here. Could it be because of "ca identity abcd 192.168.1.5:/certsrv/mscep/mscep.dll " is pointing to local address? I think it is needed only to PIX not to vpn client. IKE is suddenly interupted during negotiation. Detailed debug info can be viewed at

www.slavon.ru/debug.htm

I can't post it right here because it is too big.

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dymap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dymap

crypto map mymap client configuration address initiate

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn3 address-pool ippool

vpngroup vpn3 dns-server 192.168.1.5

vpngroup vpn3 default-domain generaldata.ru

vpngroup vpn3 split-tunnel aclipsec

vpngroup vpn3 idle-time 1800

vpngroup vpn3 password ********

ca identity abcd 192.168.1.5:/certsrv/mscep/mscep.dll

ca configure abcd ra 1 20 crloptional

0 Helpful

chhristian.constantin
Level 1
Level 1
In response to ncosmetic

‎06-10-2002 04:58 AM

Hi,

I also had the problem. It seems, that when you use Digital Certificates

w/ your client, the client do not offer any DES proposal. On my own, I only used

the client w/ pre-shared and solved (my ) the problem.

But, as you now, it does not scale well.

0 Helpful
Customers Also Viewed These Support Documents