Cisco Systems OL-16647-01 Adding or Editing a Site-to-Site Tunnel Group

35-56

Cisco ASDM User Guide

OL-16647-01

Chapter 35 General

Mapping Certificates to IPSec or SSL VPN Connection Profiles

Adding or Editing a Site-to-Site Tunnel Group

The Add or Edit IPSec Site-to-Site Tunnel Group dialog box lets you specify attributes for the IPSec

site-to-site connection that you are adding. In addition, you can select IKE peer and user authentication

parameters, configure IKE keepalive monitoring, and select the default group policy.

Fields

• Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is

display-only.

• IKE Authentication—Specifies the pre-shared key and Identity certificate parameters to use when

authenticating an IKE peer.

–

Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum

length of the pre-shared key is 128 characters.

–

Identity Certificate—Specifies the name of the ID certificate to use for authentication, if

available.

–

Manage—Opens the Manage Identity Certificates window, on which you can see the certificates

that are already configured, add new certificates, show details for a certificate, and edit or delete

a certificate.

–

IKE Peer ID Validation—Specifies whether to check IKE peer ID validation. The default is

Required.

• IKE Keepalive ——Enables and configures IKE keepalive monitoring. You can select only one of

the following attributes.

–

Disable Keep Alives—Enables or disables IKE keep alives.

–

Monitor Keep Alives—Enables or disables IKE keep alive monitoring. Selecting this option

makes available the Confidence Interval and Retry Interval fields.

–

Confidence Interval—Specifies the IKE keep alive confidence interval. This is the number of

seconds the security appliance should allow a peer to idle before beginning keepalive

monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote

access group is 10 seconds.

–

Retry Interval—Specifies number of seconds to wait between IKE keep alive retries. The default

is 2 seconds.

–

Head end will never initiate keepalive monitoring—Specifies that the central-site security

appliance never initiates keepalive monitoring.

• Default Group Policy—Select the group policy and client protocols that you want to use as the

default for this connection. A VPN group policy is a collection of user-oriented attribute-value pairs

that can be stored internally on the device or externally on a RADIUS server. IPSec connections and

user accounts refer to the group-policy information.

–

Group Policy—Lists the currently configured group policies. The default value is

DfltGrpPolicy.

–

Manage—Opens the Configure Group Policies window, on which you can view the configured

group policies and add, edit, or delete group policies from the list.

–

IPSec Protocol—Enables or disables the IPSec protocol for use by this group policy.

Modes

The following table shows the modes in which this feature is available: