Changing IKE Proposal...

abatson · ‎10-07-2009

Greetings - I've got a Cisco VPN Concentrator 6030 running 4.7.0 of the SW. I need to change the IKE Proposal to use SHA-1 for FIPS reasons. Currently MD5-HMAC is used. I've altered the IKE proposal configuration so that the SHA items are at the top (see attachment for where I'm doing this), but the IKE proposal that's selected never changes. I backed the changes out, but the screen shot is provided so you can see where I'm carrying out the configuration. I tried disabling the MD5 proposal, and it resulted in my not being able to authenticate at all. What am I missing?

andrew.prince · ‎10-08-2009

Alex,

What you must remember is that the encryption/HASH is sent in proposals messages and "negotiated" by both sides. Even though you have added it as a preferred option and even moved it to the top of the list, if the remote end is not configured to use it or does not support it - it will not be used.

HTH>

abatson · ‎10-08-2009

I agree - it's a negotiation - however, the Cisco VPN Client 5.0.x doesn't seem to have any configuration item where you can give it an ordered list of proposals (unless I'm missing something somewhere)

I'm using the newest version of the client available list week on the Software Center.

andrew.prince · ‎10-08-2009

What does the debugging from the Client show you when the IPSEC session is being negotiated?

abatson · ‎10-08-2009

I put all the logging (except firewall) on "3_High", and logged in. Unfortunatly, there's no info output, regarding the proposal, or which hash is accepted. I see a line with the word "HASH" in it:

25 11:40:34.215 10/08/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 1.2.3.4

However, after a few of these go by, PHASE-I is complete, meaning the algorythm is been decided...

andrew.prince · ‎10-08-2009

OK - what does the logs show in the concentrator?