Diffie Hellman

Discussion in 'Cisco' started by profile0104, Jul 28, 2005.

  1. profile0104

    profile0104 Guest

    VPN 3000 guide says that

    "Group 5 (1536-bits) is the default choice for use with the AES
    encryption
    algorithms. It works only for LAN-to-LAN connections, and for clients
    using certificates".

    but then it also says that one of the default IKE proposals is:

    "CiscoVPNClient3DES-MD5-DH5 = Use preshared keys (XAUTH) and
    MD5/HMAC-128 for
    authentication. Use 3DES-168 encryption. Use D-H Group 5 to generate SA
    keys. This selection allows XAUTH user-based authentication"

    Does this mean that this particular proposal can be used only for
    LAN-to-LAN connections or is there something I'm missing?

    Thank you
    profile0104, Jul 28, 2005
    #1
    1. Advertising

  2. profile0104

    Guest

    >
    > "CiscoVPNClient3DES-MD5-DH5 = Use preshared keys (XAUTH) and
    > MD5/HMAC-128 for
    > authentication. Use 3DES-168 encryption. Use D-H Group 5 to generate SA
    > keys. This selection allows XAUTH user-based authentication"
    >
    > Does this mean that this particular proposal can be used only for
    > LAN-to-LAN connections or is there something I'm missing?
    >



    "CiscoVPNClient3DES-MD5-DH5" is intended for remote access VPNs. This
    policy uses XAUTH for remote access *user* authentication (IPsec peer
    [*device*] authentication takes place during IKE phase 1), and is
    designed to be used with either the Cisco VPN client or hardware client
    such as Easy VPN on IOS (EzVPN).

    If you really want to use group 5 (or any other group), you can, of
    course, modify one of the standard policies or create your own policy
    by going to Configuration > Tunneling and Security > IPSec > IKE
    Proposals, and selecting a proposal and clicking 'modify' (to modify an
    existing IKE policy), or clicking 'Add' and creating your own bespoke
    policy (note that the XAUTH/CRACK/HYBRID modes of authentication are
    intended for remote access, not LAN-to-LAN).

    Here's some more info on the subject of authentication, including
    XAUTH/CRACK/HYBRID:

    http://www.groupstudy.com/form/read.php?f=7&i=101296&t=101292

    Hope that helps,

    Mark



    CCIE#6280 / CCSI#21051 / JNCIS#121 / etc.

    Author: www.ciscopress.com/1587051044
    , Jul 29, 2005
    #2
    1. Advertising

  3. profile0104

    profile0104 Guest

    Thank you for your help Mark, but there's still something I don't
    understand.

    The guide says: "..Group 5...works only for LAN-to-LAN connections, and
    clients
    using certificates.." and then it gives an example of a default IKE
    proposal which uses DH5 for clients using preshared keys. Wasn't DH5
    supposed to work with certificates only?

    Bye


    wrote:
    > >
    > > "CiscoVPNClient3DES-MD5-DH5 = Use preshared keys (XAUTH) and
    > > MD5/HMAC-128 for
    > > authentication. Use 3DES-168 encryption. Use D-H Group 5 to generate SA
    > > keys. This selection allows XAUTH user-based authentication"
    > >
    > > Does this mean that this particular proposal can be used only for
    > > LAN-to-LAN connections or is there something I'm missing?
    > >

    >
    >
    > "CiscoVPNClient3DES-MD5-DH5" is intended for remote access VPNs. This
    > policy uses XAUTH for remote access *user* authentication (IPsec peer
    > [*device*] authentication takes place during IKE phase 1), and is
    > designed to be used with either the Cisco VPN client or hardware client
    > such as Easy VPN on IOS (EzVPN).
    >
    > If you really want to use group 5 (or any other group), you can, of
    > course, modify one of the standard policies or create your own policy
    > by going to Configuration > Tunneling and Security > IPSec > IKE
    > Proposals, and selecting a proposal and clicking 'modify' (to modify an
    > existing IKE policy), or clicking 'Add' and creating your own bespoke
    > policy (note that the XAUTH/CRACK/HYBRID modes of authentication are
    > intended for remote access, not LAN-to-LAN).
    >
    > Here's some more info on the subject of authentication, including
    > XAUTH/CRACK/HYBRID:
    >
    > http://www.groupstudy.com/form/read.php?f=7&i=101296&t=101292
    >
    > Hope that helps,
    >
    > Mark
    >
    >
    >
    > CCIE#6280 / CCSI#21051 / JNCIS#121 / etc.
    >
    > Author: www.ciscopress.com/1587051044
    profile0104, Jul 30, 2005
    #3
  4. profile0104

    rave Guest

    yeah group 5 is only meant for certs.
    rave, Aug 1, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Darren Green
    Replies:
    1
    Views:
    2,436
    Darren Green
    Oct 20, 2004
  2. Replies:
    5
    Views:
    6,598
    Darren Green
    Mar 20, 2007
  3. Lawrence D'Oliveiro

    Yet Another Diffie-Hellman Alternative

    Lawrence D'Oliveiro, Mar 5, 2010, in forum: NZ Computing
    Replies:
    0
    Views:
    701
    Lawrence D'Oliveiro
    Mar 5, 2010
Loading...

Share This Page