Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

question on AES-256

atdhingr
Level 1
Level 1

‎09-16-2003 09:41 AM - edited ‎03-09-2019 04:48 AM

I have several remote sites that have a pix 506e that connect to the headquarters office to a vpn 3030 concentrator. Currently we are using 3des encryption. I'd like to use AES 256. Do you have any sample configs using aes 256 from the pix point of view. I figure is has to be like the following:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 100

crypto map newmap 10 set peer 20.20.20.20

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 20.20.20.20 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 5

isakmp policy 10 lifetime 28800

I was also reading where I shouldn't use diffi-helman group 1 or 2 and should use group 5. Is this true? Why? Are there any other recommendations you can make to the config as far security and effiency?

Thanks in advance

Labels:
0 Helpful
2 Replies 2

sirpa_k
Level 1
Level 1

‎09-22-2003 07:20 AM

Even I read that D Helman group 5 shoudl be used.

any update on this.

0 Helpful

cdipietro
Level 1
Level 1

‎09-22-2003 08:57 AM

AES does not support DH1 only DH 2 and 5 and as I understand it DH5 is the preferred.

0 Helpful
Customers Also Viewed These Support Documents