Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
0
Helpful
1
Replies

Difference between configuration on crypto level

AndyWaldoz
Level 1
Level 1

‎07-09-2004 03:38 AM - edited ‎03-09-2019 08:00 AM

Could anyone explain me the difference between following configurations for the crypto auth. subject please?

Config 1):

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key BranchOffice address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set TRANSFORM_BRANCH esp-3des esp-md5-hmac

!

crypto map ENCRYPT_BRANCH 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set TRANSFORM_BRANCH

set pfs group1

match address 191

Config 2):

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 18000

crypto isakmp key Branch0ffice address xxx.xxx.xxx.xxx

!

!

crypto ipsec transform-set TRANSFORM_BRANCH esp-3des esp-md5-hmac

!

crypto map ENCRYPT_BRANCH 1 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set TRANSFORM_BRANCH

match address 191

thx 4 the reply

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎07-09-2004 04:20 AM

The main difference is that config-2 will use a lifetime for the IKE (Phase 1) SA's, 3des to protect the phase 1 process, and DH Group 2. Most remote peers are likely to use either des or 3des for phase 1, however the most likely reasons for failure if you use config-2 is that the remote peer does not have a lifetime coded (other than the default), and/or it may not use DH groups as part of phase 1, so before you use it, insure that the remote side can use the same DH group and has a lifetime configeured - the lifetime does not have to match yours, but it is better if they match as there may be an issue where the side with the higer timeout will fail to renegotiate when it initates it because the other side has the lower timeout value. Newer code may not have that problem.

I have had to remove the timeout for phase-1 sa's on my VPN gateways, beacause of that issue - which will stop the apps (using phase 2) from working.

With respect to phase 2 (IPSec) sa's, that is the crypto maps, config-1 is using dh group 1 for pfs, while config-2 is not using it. Again both peers will need to use pfs and the same group. PFS basically says not to derive a new key from the existing one.

Let me know if this helps.

0 Helpful
Customers Also Viewed These Support Documents