Transform set security

Unanswered Question
Jun 19th, 2007

We allow IPSEC over L2TP connections to our PIX-525 for remote VPN. The current transform set in place is esp-3des with esp-md5-hmac. I'd prefer AES, but we have to allow connectivity to native WinXP clients for our users, (this obviously means we are also in Transport Mode.) Am I already at the strongest encryption that WinXP will understand without installing Cisco's VPN client?

Also, do I have to leave MSCHAP enabled for authentication to meet the above reqwuirements? (Authentication is done against an internal Win2003 IAS server.) I'd prefer not to, but is CHAP considered any better?

Just trying to QA my VPN implementation...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
smalkeric Mon, 06/25/2007 - 11:48

I think default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. I think you should better leave MSCHAP enabled for authentication.

James.Ren Wed, 06/27/2007 - 04:00


Do you mean L2TP using IpSec as encryption method? WinXP could be assigned with preconfigured IPSec policies with local IP Security Policies on Local Computer from mmc. From Security methods tab, you can custom your esp transform set.

Also you need to configure no l2tp tunnel authentication as you have chosen IPSec.

PPP needs chap to negoticate a tunnel so I think it's needed here. But I had trouble in my case to use other authentication lists like radius or tacacs. So if you are using an external authentication lists could you share with us?




This Discussion