Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Must VPN client 4.0.3D use AES?

I'm trying to configure a PIX 515 version 6.3.3 with DES feature to work with VPN client 4.0.3D. I got the following "debug crypto isakmp" message:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable.

Seems that all proposals tried are using AES. So I then tested with another PIX that has AES feature and the VPN connection can be established. However, for some reason I can't upgrade the PIX with DES feature to AES. Also I still have other 3.x VPN client (not support AES) that need to form VPN with this PIX. How can I cater both VPN client 3.x and 4.0.3D?

Daniel

3 REPLIES
Silver

Re: Must VPN client 4.0.3D use AES?

the last transform being tried is 3des. 4.03d should not have any problems using 3des - I use 4.02 all the time with 3des.

post your config.

New Member

Re: Must VPN client 4.0.3D use AES?

My PIX is only DES.

truncated

...

sysopt connection permit-ipsec

crypto ipsec transform-set common esp-des esp-sha-hmac

crypto dynamic-map dynamp 10 set transform-set common

crypto dynamic-map dynamp 100 set transform-set common

...

crypto map tmsw 100 ipsec-isakmp dynamic dynamp

crypto map tmsw client configuration address initiate

crypto map tmsw client configuration address respond

crypto map tmsw interface outside

isakmp enable outside

...

isakmp client configuration address-pool local bigpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup IT address-pool bigpool

vpngroup IT dns-server ip1 ip2

vpngroup IT default-domain hk.tmsw.com

vpngroup IT split-tunnel vpnremote

vpngroup IT idle-time 86400

vpngroup IT password ********

vpngroup tyjernstedt address-pool bigpool

vpngroup tyjernstedt dns-server ip1 ip2

vpngroup tyjernstedt default-domain hk.tmsw.com

vpngroup tyjernstedt split-tunnel vpnremote

vpngroup tyjernstedt idle-time 86400

vpngroup tyjernstedt password ********

vpngroup philipspanton address-pool bigpool

vpngroup philipspanton dns-server ip1 ip2

vpngroup philipspanton default-domain hk.tmsw.com

vpngroup philipspanton split-tunnel vpnremote

vpngroup philipspanton idle-time 86400

vpngroup philipspanton password ********

Thanks.

Daniel

Silver

Re: Must VPN client 4.0.3D use AES?

Get the 3des/AES key. It is free.

The cisco vpn client does not support des + SHA. since that is the first transform in your policy, that one will not work.

the second is des +md5, but with DH group 1. Try changing that to 2, as it appears that is a supported transform. The 3rd is again a des+sha, which is unsupported. So, I am pretty certain that none of those 3 is acceptible to cisco software vpn clients

http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757

230
Views
0
Helpful
3
Replies
CreatePlease to create content