32-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices)
Configuring an IPsec Proposal on a Remote Access VPN Server (IOS, PIX 6.3 Devices)
This procedure describes how to create or edit an IPsec proposal for your remote access VPN server
when the server uses Cisco IOS Software or PIX release 6.3.
An IPsec proposal is a collection of one or more crypto maps. A crypto map combines all the components
required to set up IPsec security associations (SAs), including IPsec rules, transform sets, remote peers,
and other parameters that might be necessary to define an IPsec SA.
When configuring an IPsec proposal, you must define the external interface through which the remote
access clients connect to the server, and the encryption and authentication algorithms that protect the
data in the VPN tunnel. You can also select a group authorization (Group Policy Lookup) method that
defines the order in which group policies are searched (on the local server or on external AAA servers)
and a user authentication (Xauth) method that defines the order in which user accounts are searched.
For more information on IPsec tunnel concepts, see Understanding IPsec Proposals, page 25-17.
When you create or edit an IPsec proposal, you can also configure:
A VPN Services Module (VPNSM) interface IPsec VPN Shared Port Adapter (VPN SPA) on a
Catalyst 6500/7600 device (see VPNSM/VPN SPA/VSPA Settings Dialog Box, page32-6).
A dynamic virtual interface on an IOS router running Cisco IOS Software version 12.4(2)T or later,
except 7600 device. For more information, see Configuring Dynamic VTI/VRF Aware IPsec in
Remote Access VPNs (IOS Devices), page 32-7.
VRF-Aware IPsec on a router or Catalyst 6500/7600 device (see Configuring Dynamic VTI/VRF
Aware IPsec in Remote Access VPNs (IOS Devices), page32-7).
Related Topics
Understanding VRF-Aware IPsec, page 24-14
VPNSM/VPN SPA/VSPA Settings Dialog Box, page 32-6
Table Columns and Column Heading Features, page1-46
Step 1 Do one of the following:
(Device view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (IOS/PIX 6.x) from the
Policy selector.
(Policy view) Select Remote Access VPN > IPSec VPN > IPsec Proposal (IOS/PIX 6.x) from the
Policy Type selector. Select an existing policy or create a new one.
The IPsec Proposal page opens and lists the configured proposals, including the VPN endpoint, IPsec
transform set, and whether reverse route injection is configured for the proposal. You can add other
columns to the default display to show the AAA, VRF, and dVTI configuration.
Step 2 Do any of the following:
To add a new IPsec proposal, click the Add Row (+) button and fill in the IPsec Proposal Editor
dialog box. For detailed information on the available options, see IPsec Proposal Editor (IOS, PIX
6.3 Devices), page 32-4.
To edit an existing proposal, select it and click the Edit Row (pencil) button.
To delete a proposal, select it and click the Delete Row (trash can) button.