01-21-2005 07:20 AM - edited 02-21-2020 01:33 PM
Should I be able to use a PIX running 6.3(3) with the Cisco VPN Client 4.0.1c or 4.6(01) with a transform set using AES?
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
isakmp client configuration address-pool local vpn outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
01-21-2005 06:00 PM
I thinks so but you have to change the isakmp parameters also !
!--- Permit packet that came from an IPSec tunnel to pass through without
!--- checking them against the configured conduits/access lists.
sysopt connection permit-ipsec
!--- Define the transform set to be used during IPSec
!--- security association (SA) negotiation. Specify AES as the encryption algorithm.
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
!--- Create a dynamic crypto map entry
!--- and add it to a static crypto map.
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
!--- Bind the crypto map to the outside interface.
crypto map map1 interface outside
!--- Enable Internet Security Association and Key Management
!--- Protocol (ISAKMP) negotiation on the interface on which the IPSec
!--- peer communicates with the PIX firewall.
isakmp enable outside
isakmp identity address
!--- Define an ISAKMP policy to be used while
!--- negotiating the ISAKMP SA. Specify
!--- AES as the encryption algorithm. The configurable AES
!--- options are aes, aes-192 and aes-256.
!--- Note: AES 192 is not supported by the VPN Client.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- Create a VPN group and configure the policy attributes which are
!--- downloaded to the Easy VPN Clients.
vpngroup groupmarketing address-pool vpnpool1
vpngroup groupmarketing dns-server 10.10.11.5
vpngroup groupmarketing wins-server 10.10.11.5
vpngroup groupmarketing default-domain org1.com
vpngroup groupmarketing split-tunnel 102
vpngroup groupmarketing idle-time 1800
vpngroup groupmarketing password ********
See: How to Configure the Cisco VPN Client to PIX with AES
sincerley
Patrick
01-24-2005 02:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide