Appendix B Site-to-Site VPN User Interface Reference
|
|
| Site to Site VPN Policies |
| ||
Table | VPN Global Settings Page > ISAKMP/IPSec Settings Tab (continued) | |||||
|
|
|
| |||
| Element |
| Description | |||
|
|
|
| |||
| Xauth Timeout |
| Available when Easy VPN is the selected technology, and the | |||
|
|
| selected device is a Cisco IOS router or Catalyst 6500/7600 device. | |||
|
|
| The number of seconds the device waits for a response from the end | |||
|
|
| user after an IKE SA has been established. | |||
|
|
| When negotiating tunnel parameters for establishing IPSec tunnels | |||
|
|
| in an Easy VPN configuration, Xauth adds another level of | |||
|
|
| authentication that identifies the user who requests the IPSec | |||
|
|
| connection. Using the Xauth feature, the client waits for a | |||
|
|
| "username/password" challenge after the IKE SA has been | |||
|
|
| established. When the end user responds to the challenge, the | |||
|
|
| response is forwarded to the IPSec peers for an additional level of | |||
|
|
| authentication. | |||
|
|
| ||||
| Max Sessions Number | Supported on ASA devices and PIX 7.0 devices. | ||||
|
|
| The maximum number of SAs that can be enabled simultaneously | |||
|
|
| on the device. | |||
|
|
| ||||
| Enable IPSec via Sysopt | Supported on ASA devices and PIX Firewalls versions 6.3 or 7.0. | ||||
|
|
| When selected, enables you to specify that any packet that comes | |||
|
|
| from an IPSec tunnel be implicitly trusted (permitted). | |||
|
|
| ||||
| Enable SPI Recovery | Supported on routers running IOS version 12.3(2)T and later, in | ||||
|
|
| addition to Catalyst 6500/7600 devices running version | |||
|
|
| 12.2(18)SXE and later. | |||
|
|
| When selected, enables the SPI recovery feature to configure your | |||
|
|
| device so that if an invalid SPI (Security Parameter Index) occurs, | |||
|
|
| an IKE SA will be initiated. | |||
|
|
| SPI (Security Parameter Index) is a number which, together with a | |||
|
|
| destination IP address and security protocol, uniquely identifies a | |||
|
|
| particular security association. When using IKE to establish | |||
|
|
| security associations, the SPI for each security association is a | |||
|
|
| ||||
|
|
| manually specified for each security association. When an invalid | |||
|
|
| SPI occurs during IPSec packet processing, the SPI recovery feature | |||
|
|
| enables an IKE SA to be established. | |||
|
|
|
|
|
|
|
|
|
| User Guide for Cisco Security Manager 3.0.1 |
|
|
|
|
|
|
| |||
|
|
|
| |||
|
|
|
| |||