09-16-2003 09:41 AM - edited 03-09-2019 04:48 AM
I have several remote sites that have a pix 506e that connect to the headquarters office to a vpn 3030 concentrator. Currently we are using 3des encryption. I'd like to use AES 256. Do you have any sample configs using aes 256 from the pix point of view. I figure is has to be like the following:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 20.20.20.20
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 20.20.20.20 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 28800
I was also reading where I shouldn't use diffi-helman group 1 or 2 and should use group 5. Is this true? Why? Are there any other recommendations you can make to the config as far security and effiency?
Thanks in advance
09-22-2003 07:20 AM
Even I read that D Helman group 5 shoudl be used.
any update on this.
09-22-2003 08:57 AM
AES does not support DH1 only DH 2 and 5 and as I understand it DH5 is the preferred.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide