есть Cisco VPN client 4.0 и PIX 6.3 с des
Клиент пытается лезть на PIX используя AES и 3DES. Как сказать клиент у, что надо использовать DES.

• Как подружить Cisco VPN client и PIX,alexb, 00:32 , 06-Апр-05
  • Как подружить Cisco VPN client и PIX,Andy_svr, 17:17 , 07-Апр-05
    • Как подружить Cisco VPN client и PIX,alexb, 19:01 , 07-Апр-05
      • Как подружить Cisco VPN client и PIX,Andy_svr, 19:55 , 07-Апр-05
        • Как подружить Cisco VPN client и PIX,Andy_svr, 20:06 , 07-Апр-05
          • Как подружить Cisco VPN client и PIX,Hill, 08:48 , 20-Апр-05

>есть Cisco VPN client 4.0 и PIX 6.3 с des
>Клиент пытается лезть на PIX используя AES и 3DES. Как сказать клиент
>у, что надо использовать DES.

Для DES поставь MD5.
VPN клиент согласует по ISAKMP что он будет использовать. Самое смешное что client не поддерживает DES/SHA. Если не поможет скажи точную версию клиента и конфиг PIX покажи.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/produc...

Cisco VPN client 4.0 for Mac OS по UDP
Вот кусок конфига:

sysopt connection permit-ipsec
crypto dynamic-map mymap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
! Incomplete
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool test
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********

А вот что пишет debug:

crypto_isakmp_process_block:src:xxx.xxx.xxx.xxx, dest:xxx.xxx.xxx.xxx spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.

А вот такая сторчка в конфиге есть?

crypto ipsec transform-set myset esp-des esp-md5-hmac

>Cisco VPN client 4.0 for Mac OS по UDP
>Вот кусок конфига:
>
>sysopt connection permit-ipsec
>crypto dynamic-map mymap 10 set transform-set myset
>crypto map mymap 1 ipsec-isakmp
>! Incomplete
>crypto map mymap 10 ipsec-isakmp dynamic dynmap
>crypto map mymap client configuration address initiate
>crypto map mymap client configuration address respond

Есть

Смущает то, что клиент не пытается использовать DES.

Народ подскажите как всётаки заставить Cisco VPN client v.4.6 for Win подключаться по 3DES.
А вот что пишет debug:
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2

Такая сторчка в конфиге есть
crypto ipsec transform-set myset esp-3des esp-sha-hmac

не хочет по 3DES работать :( помогите...
и не выдаёт IP адрес из пула