Cisco VPN - what type of 3DES?
I am having to confgure a Cisco 5505 to connect LAN to LAN to another site using a Draytek 2820.
I have a question re the 3DES type.
i am trying to connect using the ESP-3Des-MD5 to the site 117.41.83.86
On the Draytek I have configured:-
Type of server:- IPsec Tunnell
Call Direction:- both
IKE Autheion Methond:- Mr preharded key has been entered
Ip Security Method:- High (ESP) - And it the enxt screen I get stuck on. I have a choice from
DES without Authentication -Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
Also I am confused by the following settings on the Draytek - Any ideas which I should be choosing?:-
RIP Direction - The option specifies the direction of RIP (Routing Information
Protocol) packets. Options: TX/RX Both, TX Only,
RX Only, and Disable.
From first subnet to
remote network, you have
to do
If the remote network only allows you to dial in with single
IP, please choose NAT, otherwise choose Route.
Could someone please help me as to which method is the corerect one by looking at the config below!
My Cisco config i(relvant parts only with ip addresses changed) s below:-
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 117.41.83.86
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set reverse-route
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 117.37.175.6
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 183.104.158.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 117.41.83.86 type ipsec-l2l
tunnel-group 117.41.83.86 ipsec-attributes
pre-shared-key *
tunnel-group 117.37.175.6 type ipsec-l2l
tunnel-group 117.37.175.6 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type ipsec-ra
tunnel-group VPNUsers general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *
tunnel-group 183.104.158.217 type ipsec-l2l
tunnel-group 183.104.158.217 ipsec-attributes
pre-shared-key *
tunnel-group 181.179.236.186 type ipsec-l2l
tunnel-group 181.179.236.186 ipsec-attributes
pre-shared-key *
telnet 210.0.0.16 255.255.255.255 inside
telnet timeout 5
ssh Admin_host 255.255.255.255 inside
ssh Thetserver 255.255.255.255 inside
ssh 210.0.0.16 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map http-mapl
match access-list http-list2
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map http-mapl
class http-mapl
set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
ntp server Thetserver source inside
prompt hostname context
Cryptochecksum:6e96c9075a3
: end
asdm image disk0:/asdm522.bin
no asdm history enable
I have a question re the 3DES type.
i am trying to connect using the ESP-3Des-MD5 to the site 117.41.83.86
On the Draytek I have configured:-
Type of server:- IPsec Tunnell
Call Direction:- both
IKE Autheion Methond:- Mr preharded key has been entered
Ip Security Method:- High (ESP) - And it the enxt screen I get stuck on. I have a choice from
DES without Authentication -Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
Also I am confused by the following settings on the Draytek - Any ideas which I should be choosing?:-
RIP Direction - The option specifies the direction of RIP (Routing Information
Protocol) packets. Options: TX/RX Both, TX Only,
RX Only, and Disable.
From first subnet to
remote network, you have
to do
If the remote network only allows you to dial in with single
IP, please choose NAT, otherwise choose Route.
Could someone please help me as to which method is the corerect one by looking at the config below!
My Cisco config i(relvant parts only with ip addresses changed) s below:-
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 117.41.83.86
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set reverse-route
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 117.37.175.6
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 183.104.158.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group 117.41.83.86 type ipsec-l2l
tunnel-group 117.41.83.86 ipsec-attributes
pre-shared-key *
tunnel-group 117.37.175.6 type ipsec-l2l
tunnel-group 117.37.175.6 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type ipsec-ra
tunnel-group VPNUsers general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
pre-shared-key *
tunnel-group 183.104.158.217 type ipsec-l2l
tunnel-group 183.104.158.217 ipsec-attributes
pre-shared-key *
tunnel-group 181.179.236.186 type ipsec-l2l
tunnel-group 181.179.236.186 ipsec-attributes
pre-shared-key *
telnet 210.0.0.16 255.255.255.255 inside
telnet timeout 5
ssh Admin_host 255.255.255.255 inside
ssh Thetserver 255.255.255.255 inside
ssh 210.0.0.16 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map http-mapl
match access-list http-list2
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map http-mapl
class http-mapl
set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
ntp server Thetserver source inside
prompt hostname context
Cryptochecksum:6e96c9075a3
: end
asdm image disk0:/asdm522.bin
no asdm history enable
ASKER
And what about the RIP - Do i have to do anything there?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Good answer
algorithm and apply MD5 or SHA-1 authentication algorithm.