|
||||||||
I hate asking these "obvious" questions... depending on your answer, one of us will probably feel a bit silly. Are you sure your IOS release supports 3des? AFAIK it's only in the last couple years that Cisco stopped charging a premium for 3des. Josh McAllister > -----Original Message----- > From: Chris Nottingham [mailto:chris at thewebgeek dot com] > Sent: Tuesday, March 08, 2005 5:49 AM > To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec > > Works great with single DES/MD5, but 3DES/MD5 will not complete phase 2. > > ________________________________ > > From: Elijah Savage [mailto:esavage at digitalrage dot org] > Sent: Mon 3/7/2005 6:51 PM > To: Chris Nottingham; m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec > > Let me know if you got it working. > > -----Original Message----- > From: Chris Nottingham > Sent: Sunday, March 06, 2005 6:46 PM > To: Elijah Savage; m0n0wall at lists dot m0n0 dot ch > Subject: RE: [m0n0wall] m0n0 to cisco point to point ipsec > > Elijah, > > Thank you for the config. I have just a couple questions to clarify the > whole config. I would set my m0n0 for 3DES/MD5 for phase 1 with > pre-shared secret, and phase 2 would be ESP with 3DES/MD5? What would I > use for the DH group for phase 1 with this config? > > Thanks, > Chris > > ------------------------------------------------------------------------ > ---- > > This will get you started. He will need to put in the appropriate > access-list 120 to send across the tunnel if he is a cisco guy he will > understand this. > > crypto isakmp policy 11 > encr 3des > hash md5 > authentication pre-share > crypto isakmp key XXX address X.X.X.X no-xauth > > > crypto ipsec transform-set myset esp-3des esp-md5-hmac > > crypto map clientmap 1 ipsec-isakmp > set peer X.X.X.X > set transform-set myset > match address 120 > > Int s0/0 > crypto map clientmap > > > > |