Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Transform set security

We allow IPSEC over L2TP connections to our PIX-525 for remote VPN. The current transform set in place is esp-3des with esp-md5-hmac. I'd prefer AES, but we have to allow connectivity to native WinXP clients for our users, (this obviously means we are also in Transport Mode.) Am I already at the strongest encryption that WinXP will understand without installing Cisco's VPN client?

Also, do I have to leave MSCHAP enabled for authentication to meet the above reqwuirements? (Authentication is done against an internal Win2003 IAS server.) I'd prefer not to, but is CHAP considered any better?

Just trying to QA my VPN implementation...


Re: Transform set security

I think default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. I think you should better leave MSCHAP enabled for authentication.

Community Member

Re: Transform set security


Do you mean L2TP using IpSec as encryption method? WinXP could be assigned with preconfigured IPSec policies with local IP Security Policies on Local Computer from mmc. From Security methods tab, you can custom your esp transform set.

Also you need to configure no l2tp tunnel authentication as you have chosen IPSec.

PPP needs chap to negoticate a tunnel so I think it's needed here. But I had trouble in my case to use other authentication lists like radius or tacacs. So if you are using an external authentication lists could you share with us?




Re: Transform set security

before you enable AES, make sure your VAC supports it in the PIX. You need a VAC+ to support AES hardware encryption. If you only have a VAC, AES encryption/decryption is done in software.

CreatePlease to create content