Cisco Systems OL-5532-02 manual Creating Encryption Policies

Page 5

Chapter 4 Remote Access VPN Services

Creating Encryption Policies

Figure 4-4 The AAA Servers Page After Adding A New Server

Creating Encryption Policies

The encryption policy defines the security parameters for protecting data traveling through the VPN tunnels. It consists of one or more IKE proposals, one or more IPsec proposals, and global attributes. For example, the IKE proposal portion of the encryption policy could consist of selecting the 3DES, SHA, certificates, and Diffie-Hellman Group 2 options, and the IPsec proposal portion of the encryption policy could consist of selecting the ESP-AES, ESP-SHA, no authentication header (AH), no compression, and no PFS options.

You must have an encryption policy for your remote access policy. However, the same encryption policy defined for a site-to-site VPN policy may also be used for a remote access policy. So, if you have already created an encryption policy in ISC that you would like to use, proceed to the “Creating Remote Access VPN Policies” section on page 4-5. Otherwise, follow the instructions in “Creating an Encryption Policy” section on page 3-5and create an encryption policy before continuing.

Creating Remote Access VPN Policies

The remote access VPN policy defines the characteristics of the IPsec tunnel between the customer site and the remote user. Its attributes include the VPN group name and password, IP address pools, and split tunneling subnets. Additionally, the policy defines what VPN features are enabled and which are not.

For example, the policy enables (or disables) reverse route injection and NAT transparency.

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

 

OL-5532-02

4-5

 

 

 

Page 4 Page 6
Image 5
Page 4 Page 6
Contents Remote Access VPN Services Adding AAA Server Devices to Your Repository AAA Servers Name TimeoutOwner Select button IP AddressCreating Encryption Policies Policies Click Remote Access VPN PolicyRemote Access VPN Policy General Editor Confirm Password Group PasswordXAuth Timeout Use ModeDefault Domain AuthenticationNAT Traversal IKE NAT KeepaliveDefining Address Pools Remote Access VPN Policy Address PoolsNet Mask Starting AddressEnding Address Defining Split Tunneling Networks Optional 11 Remote Access VPN Policy Split Tunneling Network ListPolicy Split TunnelingGenerate Create14 The Everything Option for Split Tunneling Defining the Remote Access User List OptionalUser ID PasswordDefining Cisco IOS Software-Specific Parameters SA Idle TimeoutEnabled SA Idle Timeout Reverse Route Defining PIX Firewall-Specific ParametersInjection Group LockDefining VPN 3000-Specific Parameters Idle TimeoutMax Connect Time Sysopt ConnectionOnly Passwords Logins Min PasswordAuthentication on SimultaneousDefining the VPN 3000 Access Hours Control Defining the VPN 3000 L2TP ParametersStart Time End TimeL2TP Compression Use Client AddressRequired Require StatelessMSCHAPv2 SummaryMSCHAPv1 23 The Policies Page with Policy Status Displayed Creating Remote Access VPN Service Requests Description Network-basedIPsec Policies Remote AccessAAA Servers CPEs29 CPEs Associated with Remote Access Service Dialog Box 31 Add/Remove Templates Dialog Box 32 The Template DataFile Chooser Active ActionOL-5532-02
Top Page Image Contents