We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Cisco VPN - what type of 3DES?

Mawallace
Mawallace asked
on
Medium Priority
1,201 Views
Last Modified: 2012-06-21
I am having to confgure a Cisco 5505 to connect LAN to LAN to another site using a Draytek 2820.

I have a question re the 3DES type.

i am trying to connect using the ESP-3Des-MD5 to the site 117.41.83.86

On the Draytek I have configured:-

Type of server:- IPsec Tunnell

Call Direction:- both

IKE Autheion Methond:- Mr preharded key has been entered

Ip Security Method:- High (ESP) - And it the enxt screen I get stuck on. I have a choice from

DES without Authentication -Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.

Also I am confused by the following settings on the Draytek - Any ideas which I should be choosing?:-

RIP Direction -  The option specifies the direction of RIP (Routing Information
Protocol) packets. Options: TX/RX Both, TX Only,
RX Only, and Disable.

From first subnet to
remote network, you have
to do
If the remote network only allows you to dial in with single
IP, please choose NAT, otherwise choose Route.

Could someone please help me as to which method is the corerect one by looking at the config below!






My Cisco config i(relvant parts only with ip addresses changed) s below:-

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 117.41.83.86
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set reverse-route
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 117.37.175.6
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 183.104.158.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 117.41.83.86 type ipsec-l2l
tunnel-group 117.41.83.86 ipsec-attributes
 pre-shared-key *
tunnel-group 117.37.175.6 type ipsec-l2l
tunnel-group 117.37.175.6 ipsec-attributes
 pre-shared-key *
tunnel-group VPNUsers type ipsec-ra
tunnel-group VPNUsers general-attributes
 address-pool (inside) VPNUsers
 address-pool VPNUsers
 default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
 pre-shared-key *
tunnel-group 183.104.158.217 type ipsec-l2l
tunnel-group 183.104.158.217 ipsec-attributes
 pre-shared-key *
tunnel-group 181.179.236.186 type ipsec-l2l
tunnel-group 181.179.236.186 ipsec-attributes
 pre-shared-key *
telnet 210.0.0.16 255.255.255.255 inside
telnet timeout 5
ssh Admin_host 255.255.255.255 inside
ssh Thetserver 255.255.255.255 inside
ssh 210.0.0.16 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map http-mapl
 match access-list http-list2
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map http-mapl
 class http-mapl
  set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
ntp server Thetserver source inside
prompt hostname context
Cryptochecksum:6e96c9075a3a08d1cc0bdf9c5475b2b6
: end
asdm image disk0:/asdm522.bin
no asdm history enable
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2015

Commented:
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.

Author

Commented:
And what about the RIP - Do i have to do anything there?
CERTIFIED EXPERT
Most Valuable Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Good answer
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.