Re: lan-lan vpn and remote clients

a.wheeler · ‎01-26-2007

A question...I have a lan-lan VPN between a PIX and another VPN device. Lan-lan is fine. Need to add remote client access to the PIX (they will use cisco VPN client). The existing transform set for the lan-lan is 'esp-3des esp-sha-hmac'. I completed the client config portion and want to use transform set 'esp-3des esp-md5-hmac' for them. Not sure what to do about the isakmp policy ## hash...md5 or sha? Can it only be one or the other? When you have lan-lan and clients on the same PIX do they have to share the same transform set?

costin.vilcu · ‎01-26-2007

they don't have to use the same transform-set,

you can also use different isakmp policy for you lan-to-lan and remote clients

5220 · ‎01-27-2007

Hi,

The PIX will specify to the VPN client what options are configured. Almost all combinations are supported by the client. You can use isakmp: 3des,group 3, sha and transformset: esp 3des sha

Check:

http://cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

If you use digital certificates have a look on:

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml

Please rate if this helped.

Regards,

Daniel

5220 · ‎01-27-2007

One typo above: isakmp group 2, not 3

a.wheeler · ‎01-31-2007

Thanks to both for the clarification. Haven't had a chance yet to apply this info but it did help clear things up for me.