Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

3DES VPN OK, but not DES...

Status
Not open for further replies.
gbiello

gbiello

Technical User
Aug 9, 2001
442
US
Hi everyone,
I've created a few VPN's on the PIX, and got them working via DES and the Win2k desktop client. I had a recent job that used 3DES, and upgraded my client to version 3.6.3. Now, I can connect to the 3DES client, but not the old ones. Nothing seems to have changed on the existing ones, so my guess is the 3.6.3 client can only connect with a 3DES connection. I can't find any settings on the client to specify DES or 3DES, so I went to look for my old client on Cisco's site, and the only thing I can find specifies PIX OS version 5.x. All my clients are on PIX OS 6.x.

I've tried syslogging both warnings and info, but can't see any messages, indicating I'm even trying to connect. I haven't tried any debugs, and I'm not even sure if I can do that remotely.

Can anyone help me out here?

Thanks much,
-gbiello
 
Sort by date Sort by votes
HI.

If you need the Cisco VPN client 3.5.2 installation, you can send me an email and I'll give you a link.
I am also going to try out the 3.6.3 version with DES connection, so I can post here the results.

If possible, try to play the the hash alogrithm also at the pix MD5 or SHA - it might also have issues affecting different clients.

Try to debug at the client side using the log viewer.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
HI.

Well I did now upgrade my workstation from VPN client 3.5.2 to 3.6.3
I did try to connect after the upgrade to 2 different locaions (both use DES).
I was able to connect to only one of them.
The second one gave me this at the client Log Viewer:
1 21:44:25.910 12/14/02 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to x.x.x.x
2 21:44:26.410 12/14/02 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x
(I set the log viewer to IKE=MEDIUM, all other disabled).

Before the upgrade I was able to VPN to both locations, so I guess that there is some problem or change with the newer version.

The site that I can connect to is configured with DES & MD5.
About the site that I cannot connect now, I don't have the configuration handy but I think that the difference is that the second one uses SHA1. I'm not sure about it.

Please post your results when you find something new.
Yizhar Hurwitz
 
Upvote 0 Downvote
HI.

So I verified it.
Reinstalled the 3.5.2 version and now I can connect to all locations as before.
The location which I was not able to connect with 3.6.3 uses DES + HMAC-SHA so my conclusion is that VPN client 3.6.3 does not support this combination for some reason or bug.

BTW - I did the test on a Win98SE workstation using modem dial-up connection to the Internet.

Bye Yizhar Hurwitz
 
Upvote 0 Downvote
Yep, 3.5.2 did it! Thanks so much!
-gbiello
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
852
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
365
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
292
WhosYourDiffie
WhosYourDiffie
Garbear
  • Locked
  • Question
TZ190 VPN Connection works but can't ping some IP's on either side
Replies
0
Views
242
Garbear
Garbear

Part and Inventory Search

Sponsor

Back
Top