09-16-2003 09:41 AM - edited 03-09-2019 04:48 AM
I have several remote sites that have a pix 506e that connect to the headquarters office to a vpn 3030 concentrator. Currently we are using 3des encryption. I'd like to use AES 256. Do you have any sample configs using aes 256 from the pix point of view. I figure is has to be like the following:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 100
crypto map newmap 10 set peer 20.20.20.20
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 20.20.20.20 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 28800
I was also reading where I shouldn't use diffi-helman group 1 or 2 and should use group 5. Is this true? Why? Are there any other recommendations you can make to the config as far security and effiency?
Thanks in advance
09-22-2003 07:20 AM
Even I read that D Helman group 5 shoudl be used.
any update on this.
09-22-2003 08:57 AM
AES does not support DH1 only DH 2 and 5 and as I understand it DH5 is the preferred.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: