Solved

Cisco VPN - what type of 3DES?

Posted on 2009-07-02
4
922 Views
Last Modified: 2012-06-21
I am having to confgure a Cisco 5505 to connect LAN to LAN to another site using a Draytek 2820.

I have a question re the 3DES type.

i am trying to connect using the ESP-3Des-MD5 to the site 117.41.83.86

On the Draytek I have configured:-

Type of server:- IPsec Tunnell

Call Direction:- both

IKE Autheion Methond:- Mr preharded key has been entered

Ip Security Method:- High (ESP) - And it the enxt screen I get stuck on. I have a choice from

DES without Authentication -Use DES encryption algorithm
and not apply any authentication scheme.
DES with Authentication-Use DES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.
3DES without Authentication-Use triple DES encryption
algorithm and not apply any authentication scheme.
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
AES without Authentication-Use AES encryption algorithm
and not apply any authentication scheme.
AES with Authentication-Use AES encryption algorithm and
apply MD5 or SHA-1 authentication algorithm.

Also I am confused by the following settings on the Draytek - Any ideas which I should be choosing?:-

RIP Direction -  The option specifies the direction of RIP (Routing Information
Protocol) packets. Options: TX/RX Both, TX Only,
RX Only, and Disable.

From first subnet to
remote network, you have
to do
If the remote network only allows you to dial in with single
IP, please choose NAT, otherwise choose Route.

Could someone please help me as to which method is the corerect one by looking at the config below!






My Cisco config i(relvant parts only with ip addresses changed) s below:-

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set peer 117.41.83.86
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set reverse-route
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer 117.37.175.6
crypto map outside_map 60 set transform-set ESP-3DES-MD5
crypto map outside_map 60 set reverse-route
crypto map outside_map 80 match address outside_80_cryptomap_1
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 183.104.158.217
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group 117.41.83.86 type ipsec-l2l
tunnel-group 117.41.83.86 ipsec-attributes
 pre-shared-key *
tunnel-group 117.37.175.6 type ipsec-l2l
tunnel-group 117.37.175.6 ipsec-attributes
 pre-shared-key *
tunnel-group VPNUsers type ipsec-ra
tunnel-group VPNUsers general-attributes
 address-pool (inside) VPNUsers
 address-pool VPNUsers
 default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
 pre-shared-key *
tunnel-group 183.104.158.217 type ipsec-l2l
tunnel-group 183.104.158.217 ipsec-attributes
 pre-shared-key *
tunnel-group 181.179.236.186 type ipsec-l2l
tunnel-group 181.179.236.186 ipsec-attributes
 pre-shared-key *
telnet 210.0.0.16 255.255.255.255 inside
telnet timeout 5
ssh Admin_host 255.255.255.255 inside
ssh Thetserver 255.255.255.255 inside
ssh 210.0.0.16 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map http-mapl
 match access-list http-list2
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map http-mapl
 class http-mapl
  set connection advanced-options mss-map
policy-map http-map1
!
service-policy global_policy global
service-policy http-mapl interface outside
ntp server Thetserver source inside
prompt hostname context
Cryptochecksum:6e96c9075a3a08d1cc0bdf9c5475b2b6
: end
asdm image disk0:/asdm522.bin
no asdm history enable
0
Comment
Question by:Mawallace
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24763373
3DES with Authentication-Use triple DES encryption
algorithm and apply MD5 or SHA-1 authentication algorithm.
0
 

Author Comment

by:Mawallace
ID: 24763386
And what about the RIP - Do i have to do anything there?
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24763515
RIP is an interior routing protocol.

I typically do not use interior routing protocols (RIP, EIGRP, OSPF) across a VPN.

It is based upon your needs.
0
 

Author Comment

by:Mawallace
ID: 26048031
Good answer
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Do you have an old router lying around the house that you don’t know what to do with? Check the make and model, then refer to either of these links to see if its compatible. http://www.dd-wrt.com/site/support/router-database http://www.dd-wrt.c…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now