Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN Client 3.6.3 Issue

We are using PIX 515E (ver 6.2(2)) as a VPN solution for remote users. The PIX is using DES and does not have the license for 3DES. Remote users have no problem accessing the PIX using Cisco VPN Client 3.5.2, but can not access it using Cisco VPN Client 3.6.3. When I went to the web site to download the new client (3.6.20, it mentioned that it's 3DES. Does the new client not step back to DES if that's what the PIX supports?

Thanx,

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Client 3.6.3 Issue

The 3.6 client introduced functionality for AES encryption. Unfortunately, they had to drop some existing encryption types from the client to accomodate this.

From the release notes (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm) you'll see that DES/SHA is no longer supported/offered by the client, so if you have the following line in your PIX:

> crypto ipsec transform-set esp-des esp-sha-hmac

then you'll need to change it to:

> crypto ipsec transform-set esp-des esp-md5-hmac

The client does step back to DES, it just doesn't do DES/SHA anymore.

4 REPLIES
Cisco Employee

Re: VPN Client 3.6.3 Issue

The 3.6 client introduced functionality for AES encryption. Unfortunately, they had to drop some existing encryption types from the client to accomodate this.

From the release notes (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm) you'll see that DES/SHA is no longer supported/offered by the client, so if you have the following line in your PIX:

> crypto ipsec transform-set esp-des esp-sha-hmac

then you'll need to change it to:

> crypto ipsec transform-set esp-des esp-md5-hmac

The client does step back to DES, it just doesn't do DES/SHA anymore.

Community Member

Re: VPN Client 3.6.3 Issue

The results that I am getting so far is that 3.6.x does not support DES period. I am currently struggling with getting 3.6.3 client to work with an IOS based IPsec configuration and it can not get past the IKE negotiation stage because they never agree on anything...looks like I may need to step down to 1.x client if that is availiable.

Community Member

Re: VPN Client 3.6.3 Issue

I have the same problem with Cisco IOS 12.2.11T, but the problem was in different place. Cisco VPN client says to IOS some IKE policy proposals. I got the first one of them (from the debug messages) and place it in crypto policy 1 configuration without any good result and so on. At last I understand that there is an IKE bug (there was debug message that says something like that:

VPN Clients asks for DES-MD5-Preshared I have DES-MD5-Preshared, no match!

)

That is very funny, not not untypical. With 12.2.13T everything seems to works (I have no hard tests with it, I have other problems there)

Community Member

Re: VPN Client 3.6.3 Issue

you know that des/sha it's not supported in cient v.3.6.3. it doesn't work as ike or ipsec policy.

246
Views
0
Helpful
4
Replies
CreatePlease to create content