01-26-2007 02:35 PM - edited 02-21-2020 02:50 PM
A question...I have a lan-lan VPN between a PIX and another VPN device. Lan-lan is fine. Need to add remote client access to the PIX (they will use cisco VPN client). The existing transform set for the lan-lan is 'esp-3des esp-sha-hmac'. I completed the client config portion and want to use transform set 'esp-3des esp-md5-hmac' for them. Not sure what to do about the isakmp policy ## hash...md5 or sha? Can it only be one or the other? When you have lan-lan and clients on the same PIX do they have to share the same transform set?
01-26-2007 03:10 PM
they don't have to use the same transform-set,
you can also use different isakmp policy for you lan-to-lan and remote clients
01-27-2007 12:21 PM
Hi,
The PIX will specify to the VPN client what options are configured. Almost all combinations are supported by the client. You can use isakmp: 3des,group 3, sha and transformset: esp 3des sha
Check:
If you use digital certificates have a look on:
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml
Please rate if this helped.
Regards,
Daniel
01-27-2007 12:22 PM
One typo above: isakmp group 2, not 3
01-31-2007 06:19 AM
Thanks to both for the clarification. Haven't had a chance yet to apply this info but it did help clear things up for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: