Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
0
Helpful
4
Replies

VPN client supports IPSec AH?

milan.kulik
Level 10
Level 10

‎05-06-2004 05:35 AM - edited ‎02-21-2020 01:08 PM

I've just configured my remote access VPN using Cisco VPN client 4.0.4.

I'm establishing an IPSec tunnel to PIX running sw ver. 6.3(3).

I'd like to establish a "super secure" IPsec connection using both ESP and AH.

When I use

crypto ipsec transform-set trmset2 esp-aes-256 esp-sha-hmac

on my PIX, everything works fine.

But adding AH to the transform set, i.e.

crypto ipsec transform-set trmset1 ah-sha-hmac esp-aes-256 esp-sha-hmac

prevents the VPN client from connecting to the PIX.

Debugging crypto ipsec is showing several lines of similar content:

IPSEC(validate_proposal): transform proposal (prot 3, trans 11, hmac_alg 2) not su

pported

I also tried to disable the Enable Transparent Tunnling (i.e. NAT traversal) option in VPN client configuration - no change.

So it seems to me Cisco VPN doesn't support AH while connecting via IPSec.

Can anybody either confirm or explain how to enable AH for the VPN client?

Thanks,

Milan

Labels:
0 Helpful
4 Replies 4

mostiguy
Level 6
Level 6

‎05-06-2004 06:19 AM

Cisco has a list in the client release notes of what transforms are supported, but that said, ESP-HMAC does an awful lot of what AH does, which is why not many use it

0 Helpful

milan.kulik
Level 10
Level 10
In response to mostiguy

‎05-06-2004 07:07 AM

Could you please provide the link?

The only one I've found is the IKE proposal list (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757) which doesn't say anything about AH...

Thanks,

Milan

0 Helpful

mostiguy
Level 6
Level 6
In response to milan.kulik

‎05-09-2004 08:16 AM

I would tend to think the phase 2 chart says it all. Basically, it looks like ESP only. They do provide for null encryption, and hashing with either MD5 or SHA, which is probably what they would recommend for someone looking for AH like behaviour.

0 Helpful

milan.kulik
Level 10
Level 10
In response to mostiguy

‎05-09-2004 11:50 PM

I can't agree.

It really "looks" like ESP only. But there is no chart title saying what it really means.

That's why I'm looking for some other document.

And definitely ESP with null encryption and MD5 or SHA hashing is not the same as AH.

As far as I understand IPSec, it should be possible to use ESP and AH at the same time.

Regards,

Milan

0 Helpful
Customers Also Viewed These Support Documents