DES vs. Triple DES in Cisco VPN client

Unanswered Question
Jan 30th, 2007

I have a client ( a Dr. Office) that is connection to their Main Site remotely using the Cisco VPN client on a workstation. The Main office has a PIX 501 that receives the VPN connection successfully when the VPN client is launched from the remote site.

While the tunnel is up and working, it does take an exhorbitant amount of time to get apps to work thru it.

Is there a way to tell the Cisco VPN client how to use DES vs. Triple DES?? I have 3DES configured on the PIX and I do know how to change it there.

I just dont see anywhere in the VPN client that would allow me to change to DES....

Is there any other recommendations for getting more performance thru the tunnel??

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 01/30/2007 - 11:41

The client gets the encryption from the PIX. Your ISAKMP policies dictate what will be used by the policy number. Here's an example-

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

The VPN client will try and use policy 10 before policy 30. If the client is not compatible with 10, it will go down the list to 30 and try that one.

HTH and please rate.

scottosan Tue, 01/30/2007 - 13:05

I would bet your issue has less to do with encrytion type, and more to do with either bandwidth or fragmentation.

ggilbert Tue, 01/30/2007 - 14:09

DES or 3DES gets ditacted by the headend device and there is no setting on the VPN client to say which encryption standard to use.

With regard to your problem, have you tried simple ping tests with packet sizes ranges from 1100 to 1400 for a particular applications server that you are trying to access.

See where it fails. Set the MTU to that packet size and let me know the results.

Thanks

Gilbert

Actions

This Discussion