Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

question on AES-256

I have several remote sites that have a pix 506e that connect to the headquarters office to a vpn 3030 concentrator. Currently we are using 3des encryption. I'd like to use AES 256. Do you have any sample configs using aes 256 from the pix point of view. I figure is has to be like the following:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 100

crypto map newmap 10 set peer

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 5

isakmp policy 10 lifetime 28800

I was also reading where I shouldn't use diffi-helman group 1 or 2 and should use group 5. Is this true? Why? Are there any other recommendations you can make to the config as far security and effiency?

Thanks in advance

New Member

Re: question on AES-256

Even I read that D Helman group 5 shoudl be used.

any update on this.

New Member

Re: question on AES-256

AES does not support DH1 only DH 2 and 5 and as I understand it DH5 is the preferred.

CreatePlease to create content