NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy"


  • To: [email protected]
  • Subject: Re: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy"
  • From: YAVUZ TEMIZKAN <[email protected]>
  • Date: Wed, 22 Oct 2003 13:12:26 +0300
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcOYgg+sMIGEMOwTSle7phd9zdWx7wAAuvGQ
  • Thread-topic: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy"

Specify that IPSec should ask for perfect forward secrecy (PFS) when
requesting new security associations for this crypto map entry, or
should require PFS in requests received from the peer:

crypto map map-name seq-num set pfs [group1 | group2]



For example:


crypto map mymap 10 set pfs group2



This example specifies that PFS should be used whenever a new security
association is negotiated for the crypto map "mymap 10." The 1024-bit
Diffie-Hellman prime modulus group will be used when a new security
association is negotiated using the Diffie-Hellman exchange.


-----Original Message-----
From: Chontzopoulos Dimitris [mailto:[email protected]]
Sent: Wednesday, October 22, 2003 12:24 PM
To: [email protected]
Subject: [FW-1] CiSCO Commands for "Use Perfect Forward Secrecy"

Hello gurus of the list,

This may be an Off-Topic so I apologize. I just have a quick question.
Is there a way to create a VPN tunnel between a CP
VPN-1 v4.1 SP3 and with a CiSCO Router by *enabling* "Use perfect
Forward Secrecy" of the Firewall? I have established a
VPN tunnel, but I really don't know if there are appropriate commands
for the CiSCO Router to support this feature.

Below are the commands I used on the CiSCO side:

Access-list 101 permit ip ..xxx.xxx xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
Access-list 101 permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

Crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2

Crypto isakmp key abcdefghij address xxx.xxx.xxx.xxx
Crypro ipsec transform-set testset esp-des esp-md5-hmac

Crypto map testmap 10 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set transform-set testset
 match address 101

Interface Ethernet 0
 Crypto map testmap


Cheers,

Dimitris.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.