01-19-2009 08:11 AM - edited 02-21-2020 04:07 PM
I've managed to establish a VPN-RA connections using aes-128 sha.
This is the running config:
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map VPN_RA 20 set pfs
crypto dynamic-map VPN_RA 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic VPN_RA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
I tried then to use aes-192, however i keep getting " %ASA-5-713904: All IPSec SA proposals found unacceptable!" and the connection is dropped
Some doubt then arises: do i have to employ necessarely aes-192 for both PHASE 1 and PHASE 2?
There is something else do i have to change? (DH Group 5?)
01-19-2009 09:48 AM
Phase 1 and 2 do not need to have the same configuration, you can use AES 256 if you want on phase 1 and aes 128 on phase 2. DH 5 is documented to work with RA setup however I have never seen this setup working so my advise is to always use DH2.
01-20-2009 03:13 AM
Perfect, this is clear.
However, how it comes then that if i change the transform set, the negotiation ends with a "all proposals are unacceptable" ?
01-20-2009 07:54 AM
I believe it has to do with the client version, some vpn clients (older ones) did not support higher encryption.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: