Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Add/Edit Tunnel Group for Site-to-Site VPN

69-101

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

•Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL

for each client VPN software package installed. For each client type, you can specify the acceptable

client software revisions and the URL or IP address from which to download software upgrades, if

necessary. The client update mechanism (described in detail under the Client Update dialog box)

uses this information to determine whether the software each VPN client is running is at an

appropriate revision level and, if appropriate, to provide a notification message and an update

mechanism to clients that are running outdated software.

–

Client Type—Identifies the VPN client type.

–

VPN Client Revisions—Specifies the acceptable revision level of the VPN client.

–

Image URL—Specifies the URL or IP address from which the correct VPN client software

image can be downloaded. For dialog boxes-based VPN clients, the URL must be of the form

http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must

be of the form tftp://.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Tunnel Group for Site-to-Site VPN

The Add or Edit Tunnel Group dialog box lets you configure or edit tunnel group parameters for this

Site-to-Site connection profile.

Fields

•Certificate Settings—Sets the following certificate chain and IKE peer validation attributes:

–

Send certificate chain—Enables or disables sending the entire certificate chain. This action

includes the root certificate and any subordinate CA certificates in the transmission.

–

IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or

checked only if supported by a certificate.

•IKE Keep Alive—Enables and configures IKE (ISAKMP) keepalive monitoring.

–

Disable Keepalives—Enables or disables IKE keep alives.

–

Monitor Keepalives—Enables or disables IKE keep alive monitoring. Selecting this option

makes available the Confidence Interval and Retry Interval fields.

–

Confidence Interval—Specifies the IKE keepalive confidence interval. This is the number of

seconds the ASA should allow a peer to idle before beginning keepalive monitoring. The

minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is

300 seconds.

–

Retry Interval—Specifies number of seconds to wait between IKE keepalive retries. The default

is 2 seconds.

–

Head end will never initiate keepalive monitoring—Specifies that the central-site ASA never

initiates keepalive monitoring.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Add/Edit Tunnel Group for Site-to-Site VPN

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505