When connecting via Cisco VPN client PIX config requires both DES and 3DES policies yet connects using 3DES. Why?
Posted on 2006-11-21
I have inherited these PIXs and am trying to get a handle on the config. I find that on each of my offices PIX firewall has the following for VPN tunnels.
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup vpntrend address-pool vpnpool
vpngroup vpntrend dns-server 172.20.4.1
vpngroup vpntrend split-tunnel 3
vpngroup vpntrend idle-time 10800
vpngroup vpntrend password ********
All inter-office tunnels are working OK on 3DES and when I connect using client the status shows also 3DES.
If I remove the 'surplus' policy 50 for DES the inter-office VPN works fine but the client fails.
The reason for the question is that I'm trying to get Watchguard X750e to 'talk' 3DES to three PIXs and the only tunnel that comes up correctly is in France where they do not use the client and have not got 2 policies.