Announcement

Collapse
No announcement yet.

Diffie-Hellman group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Diffie-Hellman group

    Hi,

    I have some problem with my vpn tunnel.
    I configured my 1812 as an VPN server and it's working but I can not change the Diffie-Hellman group 2 to Diffie-Hellman group 5. If i do that the Cisco VPN client wil not connect. It's telling methat is trying to connect but afther that it's failes. Can some one help me in de right directoon? When I use Diffie-Hellman group 2 I have no problem connecting

    Code:
    !
    crypto isakmp policy 1
     encr aes 256
     authentication pre-share
     group 5
    !
    crypto isakmp client configuration group ******
     key 6 ******
     dns ***** *****
     pool vpn
     acl 150
     netmask 255.255.255.0
    crypto isakmp profile vpn-ike
       match identity group ****
       client authentication list Check
       isakmp authorization list VPN
       client configuration address respond
       virtual-template 10
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    !
    crypto ipsec profile ***
     set transform-set ESP-3DES-SHA 
     set isakmp-profile ***
    Last edited by Raevmi; 4th October 2009, 13:04.

  • #2
    Re: Diffie-Hellman group

    I don't know a lot of the Cisco VPN client, but don't you also need to change the settings in de VPN client?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Diffie-Hellman group

      Hmh, I don't have any options that I can change to use G5

      Comment


      • #4
        Re: Diffie-Hellman group

        Yes your policies need to be the same at either end of the VPN or the IKE phase 1 will fail and DH group 2 is the default value.
        Infrastructure Architect
        CCNA, CCNA Security, MCSE, JNCIS

        Comment


        • #5
          Re: Diffie-Hellman group

          Correct, that's why I asked if there is an option inside the VPN client which can be changed.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Diffie-Hellman group

            I think that dhgroup 5 is used only for digital certificates according to "VPN client administration guide" from Cisco. On the link below you can see the chapter "Troubleshooting and Programmer Notes" and in table 8-3 IKE Proposals you can check and choose one that meets your needs.

            http://www.cisco.com/en/US/docs/secu...html#wp1163765

            Comment

            Working...
            X