I have the following situation that am hoping someone in this group can shed some light and perhap educate me on this subject
I have a user running SecureRemote (NOT SecureClient) running identical Windows platforms (Windows XP Prof. Service Pack 1) and Secure Remote NG with AI R55 build 082. I've setup an account for this user on the management server. By the way, the both management server and the enforcement module is running NG Feature Pack 3 with HFA317. Licensing is NOT an issue. After creating that account, I edit the "remote access" vpn community, enter the proper information, and last, push that policy to enforcement module.
Here is what I am seeing:
When this user attempt to make a connection, the connection failed. The log on the firewall indicated that the firewall does not support "aggressive mode". However, when I attempt with the same user account, it works for me. By the way, we are both using the same user account and the same Secure Remote software version (NG with AI R55 build 082). The only difference is that my ISP provider is Cox and the other user's ISP is Comcast. I don't think that it makes any differences but why it is not working for this user, I have no idea. In order to make it work for this user, I have to enable "aggressive mode" on the firewall which is something I would like to "avoid".
The other thing I notice is that when I have "aggressive mode" enable on the firewall and the user is connected, in the log, IKE phase I and IPSec phase II is 3DES/SHA-1. However, when I connect, my phase I is AES-256 while phase II is 3DES/SHA-1. Again, we are both using the same identical client software with the same setting at both sides. In the "Global Properties", "Remote Access", "VPN", "Advanced" Setting, I have the Encryption setting to 3DES/SHA-1. In the IKE setting, I have it set to "group 2". I even turn off the "AES-256" on the firewall. It still doesn't make any differences. My phase I connection is still AES-256 while for the other user, it is still 3DES. I even turn on debug on the firewall "vpn debug ikeon" and it confirms my worst nightmare. By the way, I use "IKE-View" to view the phase I and phase II .
Why the in-consistencies? Can someone explain how AES works with SecureRemote?
Try to force 3des and sha, in the firewall object->vpn->traditional_mode_config, i see in a labtest, that vpn_fw try to use always aes256, even if it specified other algorithm.
this is not a fix, but it could be a starting point.
