Re: des instead of 3des

From: Luschinsky Vyacheslav (slavon@slavon.ru)
Date: 06/04/02


From: "Luschinsky Vyacheslav" <slavon@slavon.ru>
Date: Tue, 4 Jun 2002 08:31:01 +0400


To be more precise I am referring to IKE negotiation. When I use pre-shared
keys I can use DES, when I use certificate obtained from MS CA, DES policy
is not send by vpn client ( cisco vpn client 3.5) through IKE as one of
possible choices and therefore is not matched by VPN server (PIX 6.0).
So if cert sever has nothing to do with it so the question may sound like
that: Why vpn software may have different polices when using different kind
of authentication (pre-share or certificate). Do you think it is problem of
cisco software?

> the certificates have nothing to do with DES/3DES. Symmetric algorithm
> information is not contained within the x.509 certificate issued by the
MSFT
> CA.
>
> I think you are referring to the VPN software itself - in that case 3DES
is
> only supported by Windows XP clients (has nothing to do with the CA you
are
> using). You can use 3DES with IPSEC in Windows XP, by turning it on
through
> group policy.
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Luschinsky Vyacheslav" <slavon@slavon.ru> wrote in message
> news:adfd27$srd$1@news.sovam.com...
> > I don't need strong protection. I just need other then password
protected
> > entrance to local network. VPN with certificate auth will just do.
> >
> > "David Dickinson [MVP]" <eis@no-spam.softhome.net> wrote in message
> > news:eV6x2ztCCHA.824@tkmsftngp05...
> > > Luschinsky Vyacheslav wrote:
> > > > I have w2k server sp2 and certificate services installed.
> > > > certificates that are issued by it allow only 3des encription that
is
> > > > not supported by other side. Can I make server issue certs for des
> > > > encription?
> > >
> > > Can you update the other side? DES is not secure. It takes less than
a
> > day
> > > to break it.
> > >
> > > --
> > > David Dickinson, MVP (Security)
> > > EveningStar Information Services
> > > Las Cruces, NM USA
> > >
> > > Summary of Microsoft Security Bulletins
> > > http://www.zianet.com/bwd/securitybulletins.asp
> > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: L2TP setup.
    ... You are right, as I know, the L2TP/IPSsc VPN do not need to use GRE47. ... Please perform the steps in "Issue Certificates to the ISA Server ... |> ii. Obtain a new machine certificate and install it ... |> iv. Make an L2TP connection to the server ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN Problem, PC not Authenticating with Server
    ... thank you for using Microsoft newsgroup. ... do you mean you have configured L2TP/IPSec VPN ... |> is the VPN server, ... you must install a certificate in the local ...
    (microsoft.public.windows.server.sbs)
  • RE: CSP in Microsoft VPN client
    ... PPTP VPN tunnel using EAP-TLS certificate based authentication. ... new client cert for the Windows 2003 Std box but it didn't help. ... UI from the Microsoft VPN client. ...
    (microsoft.public.platformsdk.security)
  • Re: IPSec VPN problems
    ... on the VPN client, so I exported and imported it in there. ... Now when I try to connect to VPN server using L2TP/IPSec ... problems with certificate ...
    (microsoft.public.win2000.security)
  • Re: Secure VPN access
    ... L2TP VPN: ... Protocol Connections in Windows Server 2003 ... In order to create an L2TP/IPSec connection using the computer certificate ...
    (microsoft.public.windows.server.sbs)