Cisco Systems OL-5532-02 Owner, Encryption Policy Select button, Group Type, Group Password

Page 8

Chapter 4 Remote Access VPN Services

Creating Remote Access VPN Policies

Table 4-2 Remote Access VPN Policy – General Editor Fields

 

Field Name

Type

Instructions

 

 

 

 

 

 

 

Name

text box

Enter a name for the policy. However, the name cannot contain spaces because it is

 

 

 

 

 

used as the VPN group name.

 

 

 

 

 

 

Owner

radio button

Click Customer > Select and choose the customer for which the remote access VPN

 

 

 

 

and Select

is intended. When you click Customer > Select, the Customer for IPsec Policy dialog

 

 

 

 

button

box appears. Click the button next to the customer you want to select and click Select

 

 

 

 

 

(to choose that customer), or click Cancel to exit the dialog box without saving

 

 

 

 

 

changes. Both return you to the main page.

 

 

 

 

 

Do not select Global. It is important to associate remote access policies with a

 

 

 

 

 

specific customer because many remote access VPN parameters are

 

 

 

 

 

customer-specific.

 

 

 

 

 

 

Encryption Policy

Select button

Choose the name of an encryption policy you created in previous steps by clicking

 

 

 

 

 

Select. The encryption policy specifies the IKE and IPsec proposal parameters for the

 

 

 

 

 

IPsec VPN and determines the level of encryption used in the IPsec VPN tunnels.

 

 

 

 

 

 

Group Type

drop-down

Select the policy type. An internal group is configured on the VPN device while an

 

 

 

 

list

external group is configured on an external AAA server.

 

 

 

 

 

Internal – Group attributes are on the target device. If the user profiles and group

 

 

 

 

 

attributes are maintained on the CPE device itself, select Internal.

 

 

 

 

 

External – Group attributes are obtained from a AAA Server. If the user profiles

 

 

 

 

 

and group attributes are maintained on a AAA Server, select External.

 

 

 

 

 

 

Group Password

text box

Required when you select Internal for the Group Type field. Enter the password

 

 

 

 

 

(IKE preshared key) for the group. The policy name and password are very important

 

 

 

 

 

because they are the group name and password that remote users must use when

 

 

 

 

 

connecting through the Cisco VPN Client.

 

 

 

 

 

 

Confirm Password

text box

Re-enter the group password to verify it.

 

 

 

 

 

 

XAuth

checkbox

Check to enable IKE Extended Authentication (XAuth).

 

 

 

 

 

 

XAuth Timeout

text box

Enter the idle timeout value for XAuth. The range is from 5 to 90 seconds. The default

 

 

 

 

 

value is 5 seconds.

 

 

 

 

 

 

Use Mode

checkbox

Mode Configuration is also known as the ISAKMP Configuration Method or

 

Configuration

 

Configuration Transaction. Specifically, when enabled, this option exchanges

 

 

 

 

 

configuration parameters with the client while negotiating Security Associations

 

 

 

 

 

(SAs).

 

 

 

 

 

Check the Mode Configuration checkbox to use Mode Configuration with the IPsec

 

 

 

 

 

clients in this group. You must enable Mode Configuration for IPsec clients because

 

 

 

 

 

IPsec uses Mode Configuration to pass all configuration parameters to the client.

 

 

 

 

 

Otherwise, these parameters are not passed to the client. Also, you must check this

 

 

 

 

 

box to use split tunneling.

 

 

 

 

 

Uncheck the box if you are using L2TP over IPsec as your tunneling protocol.

 

 

 

 

 

Note The Cisco VPN Client supports Mode Configuration, but other IPsec clients

 

 

 

 

 

may not. For example, the Microsoft Windows 2000 IPsec client does not

 

 

 

 

 

support Mode Configuration. (The Windows 2000 client uses the PPP layer

 

 

 

 

 

above L2TP to receive its IP address from the VPN Concentrator.) If you are

 

 

 

 

 

using other client software packages, check for compatibility in the

 

 

 

 

 

documentation for your client software before using this option.

 

 

 

 

 

 

 

 

 

 

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

 

 

 

 

 

 

 

 

 

 

 

 

4-8

 

 

 

OL-5532-02

 

 

 

 

 

 

Page 7 Page 9
Image 8
Page 7 Page 9
Contents Remote Access VPN Services Adding AAA Server Devices to Your Repository AAA Servers Timeout NameOwner Select button IP AddressCreating Encryption Policies Click Remote Access VPN Policy PoliciesRemote Access VPN Policy General Editor Group Password Confirm PasswordXAuth Timeout Use ModeAuthentication Default DomainNAT Traversal IKE NAT KeepaliveRemote Access VPN Policy Address Pools Defining Address PoolsNet Mask Starting AddressEnding Address 11 Remote Access VPN Policy Split Tunneling Network List Defining Split Tunneling Networks OptionalSplit Tunneling PolicyGenerate CreateDefining the Remote Access User List Optional 14 The Everything Option for Split TunnelingPassword User IDDefining Cisco IOS Software-Specific Parameters SA Idle TimeoutEnabled SA Idle Timeout Defining PIX Firewall-Specific Parameters Reverse RouteInjection Group LockIdle Timeout Defining VPN 3000-Specific ParametersMax Connect Time Sysopt ConnectionLogins Min Password Only PasswordsAuthentication on SimultaneousDefining the VPN 3000 Access Hours Defining the VPN 3000 L2TP Parameters ControlStart Time End TimeUse Client Address L2TP CompressionRequired Require StatelessMSCHAPv2 SummaryMSCHAPv1 23 The Policies Page with Policy Status Displayed Creating Remote Access VPN Service Requests Description Network-basedIPsec Remote Access PoliciesAAA Servers CPEs29 CPEs Associated with Remote Access Service Dialog Box 31 Add/Remove Templates Dialog Box 32 The Template DataFile Chooser Action ActiveOL-5532-02
Top Page Image Contents