Solved

When connecting via Cisco VPN client PIX config requires both DES and 3DES policies yet connects using 3DES. Why?

Posted on 2006-11-21
5
377 Views
Last Modified: 2013-11-16
I have inherited these PIXs and am trying to get a handle on the config. I find that on each of my offices PIX firewall has the following for VPN tunnels.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup vpntrend address-pool vpnpool
vpngroup vpntrend dns-server 172.20.4.1
vpngroup vpntrend split-tunnel 3
vpngroup vpntrend idle-time 10800
vpngroup vpntrend password ********

All inter-office tunnels are working OK on 3DES and when I connect using client the status shows also 3DES.
If I remove the 'surplus' policy 50 for DES the inter-office VPN works fine but the client fails.
Why?

The reason for the question is that I'm trying to get Watchguard X750e to 'talk' 3DES to three PIXs and the only tunnel that comes up correctly is in France where they do not use the client and have not got 2 policies.
0
Comment
Question by:kcoxon
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17988887
Policies are negotiated in priority order (10= higher preference than 50) and should match the transform set
There can be separate transform sets for dynamic clients and for site-site tunnels
I would suggest adding a 3rd group with slightly different parameters:

isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2  <== DH group 2. Preferred by the client
isakmp policy 15 lifetime 86400

Then you should be able to remove the policy 50

0
 

Author Comment

by:kcoxon
ID: 17993908
Thanks. Having tried that and deleted the policy 50 I find that the policy remains but changes to
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400

I try to remove policy 50 now and this remains.  ???
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17995154
Did you try removing each line individually?
no isakmp policy 50 authentication rsa-sig
no isakmp policy 50 encryption des
no isakmp policy 50 hash sha
no isakmp policy 50 group 1
no isakmp policy 50 lifetime 86400

Save the config, and you might even have to reboot the PIX. Else it may be keeping itself in there due to a default transform set that you have

0
 

Author Comment

by:kcoxon
ID: 17995286
Tried removing all at once as you have above.
Tried removing individually.
Tried saving the config.

All lines remain.

Can't restart until 17:00 as we are hosting apps to other offices and this will cause a problem.
Will try restarting later and will let you know.

Why did adding the policy 15 result in changing policy 50 from

isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400

to

isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption des
isakmp policy 50 hash sha
isakmp policy 50 group 1
isakmp policy 50 lifetime 86400


Cheers.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17995442
It probably wasn't adding it that caused that change, it was probably removing the initial line
  no isakmp policy 50 auth pre-share

That results in reverting to a default rsa-sig

I've proved that with my own PIX ...
I couldn't get rid of it one line at a time either, but I found that if I used
pix(config)# no isakmp policy 50

It went away immediately.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now