VPN RA IPSec transform set

Unanswered Question
Jan 19th, 2009

I've managed to establish a VPN-RA connections using aes-128 sha.

This is the running config:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map VPN_RA 20 set pfs

crypto dynamic-map VPN_RA 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic VPN_RA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

I tried then to use aes-192, however i keep getting " %ASA-5-713904: All IPSec SA proposals found unacceptable!" and the connection is dropped

Some doubt then arises: do i have to employ necessarely aes-192 for both PHASE 1 and PHASE 2?

There is something else do i have to change? (DH Group 5?)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 01/19/2009 - 09:48

Phase 1 and 2 do not need to have the same configuration, you can use AES 256 if you want on phase 1 and aes 128 on phase 2. DH 5 is documented to work with RA setup however I have never seen this setup working so my advise is to always use DH2.

Carlo Zaina Tue, 01/20/2009 - 03:13

Perfect, this is clear.

However, how it comes then that if i change the transform set, the negotiation ends with a "all proposals are unacceptable" ?

Ivan Martinon Tue, 01/20/2009 - 07:54

I believe it has to do with the client version, some vpn clients (older ones) did not support higher encryption.


This Discussion