6-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter6 VPN Wizards
IPsec IKEv1 Remote Access Wizard
MS-CHAP, Version 1—Similar to CHAP but more secure in that the server stores and compares
only encrypted passwords rather than cleartext passwords as in CHAP.
MS-CHAP, Version 2—Contains security enhancements over MS-CHAP, Version 1.
EAP-Proxy—Enables EAP which permits the ASA to proxy the PPP authentication process to
an external RADIUS authentication server.
If a protocol is not specified on the remote client, do no specify it.
Specify if the client will send tunnel group name as username@tunnelgroup.
VPN Client Authentication Method and Tunnel Group Name
Use the VPN Client Authentication Method and Name pane to configure an authentication method and
create a connection policy (tunnel group).
Fields
Authentication Method—The remote site peer authenticates either with a preshared key or a
certificate.
Pre-shared Key—Click to use a preshared key for authentication between the local ASA and the
remote IPsec peer.
Using a preshared key is a quick and easy way to set up communication with a limited number
of remote peers and a stable network. It may cause scalability problems in a large network
because each IPsec peer requires configuration information for each peer with which it
establishes secure connections.
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure
method to exchange the preshared key with the administrator of the remote site.
Pre-shared Key—Type an alphanumeric string between 1 and 128 characters.
Certificate—Click to use certificates for authentication between the local ASA and the remote
IPsec peer. To complete this section, you must have previously enrolled with a CA and
downloaded one or more certificates to the ASA.
You can efficiently manage the security keys used to establish an IPsec tunnel with digital
certificates. A digital certificate contains information that identifies a user or device, such as a
name, serial number, company, department or IP address. A digital certificate also contains a
copy of the public key.
To use digital certificates, each peer enrolls with a certification authority (CA), which is
responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that
you establish within an organization.
When two peers want to communicate, they exchange certificates and digitally sign data to
authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none
of the other peers require additional configuration.
Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig
for RSA.
Challenge/response authentication (CRACK)—Provides strong mutual authentication when the
client authenticates using a popular method such as RADIUS and the server uses public key
authentication. The security appliance supports CRACK as an IKE option in order to
authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.