Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Client VPN with Specific IKE Proposals - Can we do it?

We have a Cisco VPN 3030 and are using the Cisco VPN Client 4.x. Current all users end up with the same phase 1 proposal when they connect, regardless of the settings we choose for their group properties. We create a specific named proposal and a specific named SA which references the aforementioned proposal. We create a group for our users, and in the group we specify our named SA. However, everyone ends up using *the first proposal in the list of proposals on the concentrator* rather than the one that is supposed to be part of the SA.

This is important for us as we want to have several proposals that are all the same except they have different lifetimes for the phase 1 re-key.

From what I have been able to read, the named SA and associated IKE proposal are getting ignored when clients connect because it is the client initiating the proposal instead of the concentrator.

So...is there a way around this?

1 REPLY
ovt Bronze
Bronze

Re: Client VPN with Specific IKE Proposals - Can we do it?

In *theory* this is possible in Agressive Mode only (the default), because

initiator's Identity (i.e. group name) is sent in the first IKE message to

the responder (and in the clear). The first message also contains all the

Phase 1 proposals. However, this is *not* posible in the Main Mode, because

Identity is sent in the message 5 and Phase 1 proposals are sent in the

message 1. This is how IKE was designed by smart IETF guys.

I think that VPN3000 designers decided to implement this in a uniform way,

regardless of the IKE mode being used. So, ... no way ?

92
Views
0
Helpful
1
Replies
CreatePlease to create content