Cisco Systems ISA550

VPN

Configuring IPsec Remote Access

Cisco ISA500 Series Integrated Security Appliances Administration Guide 358

•WAN Interface: Choose the WAN port that traffic passes through over the

VPN tunnel.

•IKE Authentication Method: Choose the authentication method.

-Pre-shared Key: Uses a simple, password-based key to authenticate. If

you choose this option, enter the desired value that remote VPN clients

must provide to establish the VPN connections in the Password field. The

pre-shared key must be entered exactly the same here and on the remote

clients.

-Certificate: Uses the digital certificate from a third party Certificate

Authority (CA) to authenticate. If you choose this option, select a CA

certificate as the local certificate from the Local Certificate drop-down

list and select a CA certificate as the remote certificate from the Peer

Certificate drop-down list for authentication. The selected remote

certificate on the IPsec VPN server must be set as the local certificate on

remote VPN c lients.

NOTE: You must have valid CA certificates imported on your security

appliance before choosing this option. Go to the Device Management >

Certificate Management page to import the CA certificates. See

Managing Certificates for Authentication, page 418.

•Mode: The Cisco VPN hardware client supports NEM (Network Extension

Mode) and Client mode. The IPsec Remote Access group policy must be

configured with the corresponding mode to allow only the Cisco VPN

hardware clients in the same operation mode to be connected. For example,

if you choose the Client mode for the group policy, only the Cisco VPN

hardware clients in Client mode can be connected by using this group policy.

For more information about the operation mode, see Modes of Operation,

page 365.

- Choose Client for the group policy that is used for both the PC running

the Cisco VPN Client software and the Cisco device acting as a Cisco

VPN hardware client in Client mode. In Client mode, the IPsec VPN server

can assign the IP addresses to the outside interfaces of remote VPN

clients. To define the pool range for remote VPN clients, enter the starting

and ending IP addresses in the Start IP and End IP fields.

- Choose NEM for the group policy that is only used for the Cisco device

acting as a Cisco VPN hardware client in NEM mode.