Cisco Systems ISA550

VPN

Configuring a Site-to-Site VPN

Cisco ISA500 Series Integrated Security Appliances Administration Guide 345

STEP 4 In the Advanced Settings tab, enter the following information:

•PFS Enable: Click On to enable Perfect Forward Secrecy (PFS) to improve

security, or click Off to disable it. If you enable PFS, a Diffie-Hellman

exchange is performed for every phase-2 negotiation. PFS is desired on the

keying channel of the VPN connection.

•DPD Enable: Click On to enable Dead Peer Detection (DPD), or click Off to

disable it. DPD is a method of detecting a dead Internet Key Exchange (IKE)

peer. This method uses IPsec traffic patterns to minimize the number of

messages required to confirm the availability of a peer. DPD is used to

reclaim the lost resourc es in case a p eer is found de ad and it is al so used to

perform IKE peer failover. If you enable DPD, enter the following information:

-Delay Time: Enter the value of delay time in seconds between

consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are

sent only when IPsec traffic is idle. The default value is 10 seconds.

-Detection Timeout: Enter the value of detection timeout in seconds. If no

response and no traffic over the timeout, declare the peer dead. The

default value is 30 seconds.

-DPD Action: Choose one of the following actions over the detection

timeout:

Hold: Traffic from your local network to the remote network can trigger

the security appliance to re-initiate the VPN connection over the

detection timeout. We recommend that you use Hold when the remote

peer uses a static IP address.

Clean: Terminate the VPN connection over the detection timeout. You

must manually re-initiate the VPN connection. We recommend that you

use Clean when the remote peer uses dynamic IP address.

Restart: Re-initiate the VPN connection for three times over the detection

timeout.

•Windows Networking (NetBIOS) Broadcast: Click On to all ow access

remote net work resourc es by using its NetBIOS name, for example,

browsing Windows Neighborhood. NetBIOS broadcasting can resolve a

NetBIOS name to a network address. This option allows NetBIOS

broadcasts to travel over the VPN tunnel.

•Access Control: When the local network is set as Any, you can control

incoming traffic from the remote VPN network to the zones. Click Permit to

permit access, or click Deny to deny access. By default, incoming traffic

from the remote network to all zones is permitted.