Changing IKE Proposal...

Unanswered Question
Oct 7th, 2009

Greetings - I've got a Cisco VPN Concentrator 6030 running 4.7.0 of the SW. I need to change the IKE Proposal to use SHA-1 for FIPS reasons. Currently MD5-HMAC is used. I've altered the IKE proposal configuration so that the SHA items are at the top (see attachment for where I'm doing this), but the IKE proposal that's selected never changes. I backed the changes out, but the screen shot is provided so you can see where I'm carrying out the configuration. I tried disabling the MD5 proposal, and it resulted in my not being able to authenticate at all. What am I missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
abatson Thu, 10/08/2009 - 07:27

I agree - it's a negotiation - however, the Cisco VPN Client 5.0.x doesn't seem to have any configuration item where you can give it an ordered list of proposals (unless I'm missing something somewhere)

I'm using the newest version of the client available list week on the Software Center.

abatson Thu, 10/08/2009 - 07:53

I put all the logging (except firewall) on "3_High", and logged in. Unfortunatly, there's no info output, regarding the proposal, or which hash is accepted. I see a line with the word "HASH" in it:

25 11:40:34.215 10/08/09 Sev=Info/4 IKE/0x63000013


However, after a few of these go by, PHASE-I is complete, meaning the algorythm is been decided...


This Discussion