Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3000 IPSec SA Negotiation

Hi,

My understanding of VPN 3000 Concentrator is as below:

1. VPN3000 will not negotiate IKE proposals if it is the initiator of the tunnel. The remote end has to have the exact IKE parameters. But if VPN3000 is the responder, it will agree to negotiate with the peer with all the "active" IKE proposals configured.

2. VPN 3000 does not negotiate IPSec Parameters (IPSec SAs) with the remote peer. The IPSec parameters (SAs) configured on VPN3000 must exactly match with the remote peer. This is because, when you apply SAs to rules, there is only one set of parameters (for encryption, authentication etc.) configured in the SA, leaving no room for negotiation. This is unlike on IOS Routers, where we can configure multiple transform sets and apply to crypto maps and these values can be negotiated with the remote peer.

Would appreciate your thoughts!

Regards,

Mohan

1 REPLY
New Member

Re: VPN 3000 IPSec SA Negotiation

To ensure a secure tunnel connection, the Cisco Easy VPN Remote Phase II feature does not support transform sets that provide encryption without authentication (ESP-DES and ESP-3DES) or transform sets that provide authentication without encryption (ESP-NULL ESP-SHA-HMAC and ESP-NULL ESP-MD5-HMAC).

101
Views
0
Helpful
1
Replies
CreatePlease to create content