question on AES-256

atdhingr · ‎09-16-2003

I have several remote sites that have a pix 506e that connect to the headquarters office to a vpn 3030 concentrator. Currently we are using 3des encryption. I'd like to use AES 256. Do you have any sample configs using aes 256 from the pix point of view. I figure is has to be like the following:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-aes-256 esp-md5-hmac

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address 100

crypto map newmap 10 set peer 20.20.20.20

crypto map newmap 10 set transform-set myset

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address 20.20.20.20 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash md5

isakmp policy 10 group 5

isakmp policy 10 lifetime 28800

I was also reading where I shouldn't use diffi-helman group 1 or 2 and should use group 5. Is this true? Why? Are there any other recommendations you can make to the config as far security and effiency?

Thanks in advance

sirpa_k · ‎09-22-2003

Even I read that D Helman group 5 shoudl be used.

any update on this.

cdipietro · ‎09-22-2003

AES does not support DH1 only DH 2 and 5 and as I understand it DH5 is the preferred.