VPN RA IPSec transform set

Carlo Zaina · ‎01-19-2009

I've managed to establish a VPN-RA connections using aes-128 sha.

This is the running config:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map VPN_RA 20 set pfs

crypto dynamic-map VPN_RA 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic VPN_RA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

I tried then to use aes-192, however i keep getting " %ASA-5-713904: All IPSec SA proposals found unacceptable!" and the connection is dropped

Some doubt then arises: do i have to employ necessarely aes-192 for both PHASE 1 and PHASE 2?

There is something else do i have to change? (DH Group 5?)

Ivan Martinon · ‎01-19-2009

Phase 1 and 2 do not need to have the same configuration, you can use AES 256 if you want on phase 1 and aes 128 on phase 2. DH 5 is documented to work with RA setup however I have never seen this setup working so my advise is to always use DH2.

Carlo Zaina · ‎01-20-2009

Perfect, this is clear.

However, how it comes then that if i change the transform set, the negotiation ends with a "all proposals are unacceptable" ?

Ivan Martinon · ‎01-20-2009

I believe it has to do with the client version, some vpn clients (older ones) did not support higher encryption.