Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
4
Replies

VPN Client 3.6.3 Issue

Go to solution
kendo.igor
Level 1
Level 1

‎11-27-2002 05:00 PM - edited ‎02-21-2020 12:12 PM

We are using PIX 515E (ver 6.2(2)) as a VPN solution for remote users. The PIX is using DES and does not have the license for 3DES. Remote users have no problem accessing the PIX using Cisco VPN Client 3.5.2, but can not access it using Cisco VPN Client 3.6.3. When I went to the web site to download the new client (3.6.20, it mentioned that it's 3DES. Does the new client not step back to DES if that's what the PIX supports?

Thanx,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-27-2002 05:53 PM

The 3.6 client introduced functionality for AES encryption. Unfortunately, they had to drop some existing encryption types from the client to accomodate this.

From the release notes (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm) you'll see that DES/SHA is no longer supported/offered by the client, so if you have the following line in your PIX:

> crypto ipsec transform-set esp-des esp-sha-hmac

then you'll need to change it to:

> crypto ipsec transform-set esp-des esp-md5-hmac

The client does step back to DES, it just doesn't do DES/SHA anymore.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-27-2002 05:53 PM

The 3.6 client introduced functionality for AES encryption. Unfortunately, they had to drop some existing encryption types from the client to accomodate this.

From the release notes (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm) you'll see that DES/SHA is no longer supported/offered by the client, so if you have the following line in your PIX:

> crypto ipsec transform-set esp-des esp-sha-hmac

then you'll need to change it to:

> crypto ipsec transform-set esp-des esp-md5-hmac

The client does step back to DES, it just doesn't do DES/SHA anymore.

0 Helpful

Go to solution
chariley
Level 1
Level 1
In response to gfullage

‎12-03-2002 10:46 AM

The results that I am getting so far is that 3.6.x does not support DES period. I am currently struggling with getting 3.6.3 client to work with an IOS based IPsec configuration and it can not get past the IKE negotiation stage because they never agree on anything...looks like I may need to step down to 1.x client if that is availiable.

0 Helpful

Go to solution
ddelchev
Level 1
Level 1
In response to chariley

‎12-05-2002 04:34 PM

I have the same problem with Cisco IOS 12.2.11T, but the problem was in different place. Cisco VPN client says to IOS some IKE policy proposals. I got the first one of them (from the debug messages) and place it in crypto policy 1 configuration without any good result and so on. At last I understand that there is an IKE bug (there was debug message that says something like that:

VPN Clients asks for DES-MD5-Preshared I have DES-MD5-Preshared, no match!

)

That is very funny, not not untypical. With 12.2.13T everything seems to works (I have no hard tests with it, I have other problems there)

0 Helpful

Go to solution
8dstaicu
Level 1
Level 1

‎12-08-2002 11:16 PM

you know that des/sha it's not supported in cient v.3.6.3. it doesn't work as ike or ipsec policy.

0 Helpful
Customers Also Viewed These Support Documents