Apple iPod and iPod Touch Certificates, IPSec Settings

Appendix A Cisco VPN Server Configuration 47

Certificates

When setting up and installing certificates, make sure of the following:

ÂThe server identity certificate must contain the server’s DNS name and/or IP address

in the subject alternate name (SubjectAltName) field. The device uses this

information to verify that the certificate belongs to the server. You can specify the

SubjectAltName using wildcard characters for per-segment matching, such as

vpn.*.mycompany.com, for more flexibility. The DNS name can be put in the common

name field, if no SubjectAltName is specified.

ÂThe certificate of the CA that signed the server’s certificate should be installed on the

device. If it isn’t a root certificate, install the remainder of the trust chain so that the

certificate is trusted.

ÂIf client certificates are used, make sure that the trusted CA certificate that signed the

client’s certificate is installed on the VPN server.

ÂThe certificates and certificate authorities must be valid (not expired, for example.).

ÂSending of certificate chains by the server isn’t supported and should be turned off.

ÂWhen using certificate-based authentication, make sure that the server is set up to

identify the user’s group based on fields in the client certificate. See “Authentication

Groups” on page 46.

IPSec Settings

Use the following IPSec settings:

ÂMode: Tunnel Mode

ÂIKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication,

Main Mode for certificate authentication.

ÂEncryption Algorithms: 3DES, AES-128, AES-256

ÂAuthentication Algorithms: HMAC-MD5, HMAC-SHA1

ÂDiffie Hellman Groups: Group 2 is required for pre-shared key and hybrid.

authentication. For certificate authentication, use Group 2 with 3DES and AES-128.

Use Group 2 or 5 with AES-256.

ÂPFS (Perfect Forward Secrecy): For IKE phase 2, if PFS is used the Diffie Hellman group

must be the same as was used for IKE phase 1.

ÂMode Configuration: Must be enabled.

ÂDead Peer Detection: Recommended.

ÂStandard NAT Transversal: Supported and can be enabled if desired. (IPSec over TCP

isn’t supported).

ÂLoad Balancing: Supported and can be enabled if desired.

ÂRe-keying of Phase 1: Not currently supported. Recommend that re-keying times on

the server be set to approximately one hour.