3D Innovations 3.0.1 appendix Appendix B Site-to-Site VPN User Interface Reference

Page 47

Appendix B Site-to-Site VPN User Interface Reference

 

 

 

Site to Site VPN Policies

 

Table B-16

VPN Global Settings Page > ISAKMP/IPSec Settings Tab (continued)

 

 

 

 

 

Element

 

Description

 

 

 

 

 

Xauth Timeout

 

Available when Easy VPN is the selected technology, and the

 

 

 

selected device is a Cisco IOS router or Catalyst 6500/7600 device.

 

 

 

The number of seconds the device waits for a response from the end

 

 

 

user after an IKE SA has been established.

 

 

 

When negotiating tunnel parameters for establishing IPSec tunnels

 

 

 

in an Easy VPN configuration, Xauth adds another level of

 

 

 

authentication that identifies the user who requests the IPSec

 

 

 

connection. Using the Xauth feature, the client waits for a

 

 

 

"username/password" challenge after the IKE SA has been

 

 

 

established. When the end user responds to the challenge, the

 

 

 

response is forwarded to the IPSec peers for an additional level of

 

 

 

authentication.

 

 

 

 

Max Sessions Number

Supported on ASA devices and PIX 7.0 devices.

 

 

 

The maximum number of SAs that can be enabled simultaneously

 

 

 

on the device.

 

 

 

 

Enable IPSec via Sysopt

Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0.

 

 

 

When selected, enables you to specify that any packet that comes

 

 

 

from an IPSec tunnel be implicitly trusted (permitted).

 

 

 

 

Enable SPI Recovery

Supported on routers running IOS version 12.3(2)T and later, in

 

 

 

addition to Catalyst 6500/7600 devices running version

 

 

 

12.2(18)SXE and later.

 

 

 

When selected, enables the SPI recovery feature to configure your

 

 

 

device so that if an invalid SPI (Security Parameter Index) occurs,

 

 

 

an IKE SA will be initiated.

 

 

 

SPI (Security Parameter Index) is a number which, together with a

 

 

 

destination IP address and security protocol, uniquely identifies a

 

 

 

particular security association. When using IKE to establish

 

 

 

security associations, the SPI for each security association is a

 

 

 

pseudo-randomly derived number. Without IKE, the SPI is

 

 

 

manually specified for each security association. When an invalid

 

 

 

SPI occurs during IPSec packet processing, the SPI recovery feature

 

 

 

enables an IKE SA to be established.

 

 

 

 

 

 

 

 

 

 

User Guide for Cisco Security Manager 3.0.1

 

 

 

 

 

 

 

 

OL-8214-02

 

 

 

B-47

 

 

 

 

Image 47
Contents Site-to-Site VPN User Interface Reference Working with VPN Topologies, Understanding VPN Topologies,B-37 VPN SummaryB-3 and Peers Page, page B-7 Configuring IPSec Proposals, Configuring High Availability in Your VPN Topology,Configuring VRF-Aware IPSec Settings, Configuring an IKE Proposal,B-53 Understanding IPSec Technologies and Policies,Topology. See IKE Proposal Page, page B-37 See IPSec Proposal Page, page B-39IPSec Tab, page B-28 See GRE Modes Page, page B-59High Availability Page, page B-34 Managing VPN Devices in Device View, PeersTopology. See Device Selection Page, page B-10 Create VPN WizardName and Technology B-10 Device SelectionEditing a VPN Topology, Defining a Name and IPSec Technology,Navigation Path Page, page B-9 Endpoints See VPN Interface Tab, page B-17 B-34 Tab, page B-24See Edit Endpoints Dialog Box, page B-16 Edit Endpoints Dialog Box VPN Interface Tab Information, see Interface Roles Page, page C-126 Procedure for Configuring a Vpnsm or VPN SPA Blade,More information, see Interface Roles Page, page C-126 IP Address for IPSec Termination -To enter manually the IPCisco IOS Routers, More information, see Configuring Dialer Interfaces onBox, page B-32 Defining VPN Services Module Vpnsm or VPN SPA SettingsVPN SPA Blade, For more information, see Adding VPN SPA Slot Locations IP Address for IPSec Termination-To enter manually the IP Protected Networks TabTable B-9 Edit Endpoints Dialog Box Protected Networks Tab Information, see Editing Network/Host Objects, More information, see Editing Access Control List ObjectsFwsm Tab More information, see Editing Interface Role Objects,Table B-10 Edit Endpoints Dialog Box Fwsm Tab For more information, see Interface Roles Page, page C-126 VRF Aware IPSec TabTable B-11 Edit Endpoints Dialog Box VRF Aware IPSec Tab IPSec Two-Box Solution, Solution,Routers C-126Summary page. See VPN Summary Page, page B-3 Dial Backup Settings Dialog BoxTable B-12 Dial Backup Settings Dialog Box High Availability Table B-13 Create VPN wizard High Availability For more information, see Enabling Stateful Failover, Policy configured. See VPN Summary Page, page B-3IKE Proposal Site to Site VPN PoliciesMore information, see IKE Proposal Dialog Box, page C-123 Site-to-Site VPN Policies in Policy View,Understanding Preshared Key Policies, C-123 IPSec ProposalIKE, For more information, see About Crypto Maps, Shared Site-to-Site VPN Policies in Policy View,For more information, see About Transform Sets, IPSec Transform Sets Page, page C-130To Use, Element Description ISAKMP/IPSec Settings Tab VPN Global SettingsFor more information, see About IKE Keepalive, Configuring VPN Global Settings,See Understanding IKE, Appendix B Site-to-Site VPN User Interface Reference VPN Global Settings Page, page B-44 Understanding NAT, NAT Settings TabNAT, For more information, see About NAT Traversal,General Settings Tab For more information, see Understanding Fragmentation Select the required setting for the DF bit Preshared Key Table B-19 Preshared Key Element Description Negotiation Method Public Key Infrastructure Attributes, Working with PKI Enrollment Objects,C-140 GRE Modes FlexConfig see Working with FlexConfigs,Table B-21 GRE Modes Page GRE or GRE Dynamic IP Policy GRE?, OL-8214-02 Configuring Cisco IOS Router Interfaces, OL-8214-02 For more information, see Prerequisites for Successful Configuration of GRE,Element Description Preshared Key Policies, Interfaces, For more information, see Configuring Cisco IOS RouterEasy VPN IPSec Proposal Understanding Easy VPN, For more information, see Understanding NAT, More information, see Working with AAA Server Group Objects Device Access Policies,Group Objects, For more information, see Editing User Group Objects, User Group PolicyWorking with User Group Objects, Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy General Tab For more information, see Working with ASA User Groups Client Address Assignment Network/Host Objects, Tunnel Group Policy IPSec TabFor more information, see Supported AAA Server Types Tunnel Group Policy Advanced Tab More information, see Working with Interface Role Objects Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy Client VPN Software Update TabClient Connection Characteristics Table B-29 Easy VPN Remote Client Connection Characteristics Working with Site-to-Site VPN Policies, About Locking in Site-to-Site VPN Topologies,For more information, see Deleting a VPN Topology, See Site to Site VPN Policies, page B-37For more information, see About Editing a VPN Topology OL-8214-02 OL-8214-02