Cisco Systems OL-5532-02 manual Creating Encryption Policies

Chapter 4 Remote Access VPN Services

Creating Encryption Policies

Figure 4-4 The AAA Servers Page After Adding A New Server

Creating Encryption Policies

The encryption policy defines the security parameters for protecting data traveling through the VPN tunnels. It consists of one or more IKE proposals, one or more IPsec proposals, and global attributes. For example, the IKE proposal portion of the encryption policy could consist of selecting the 3DES, SHA, certificates, and Diffie-Hellman Group 2 options, and the IPsec proposal portion of the encryption policy could consist of selecting the ESP-AES, ESP-SHA, no authentication header (AH), no compression, and no PFS options.

You must have an encryption policy for your remote access policy. However, the same encryption policy defined for a site-to-site VPN policy may also be used for a remote access policy. So, if you have already created an encryption policy in ISC that you would like to use, proceed to the “Creating Remote Access VPN Policies” section on page 4-5. Otherwise, follow the instructions in “Creating an Encryption Policy” section on page 3-5and create an encryption policy before continuing.

Creating Remote Access VPN Policies

The remote access VPN policy defines the characteristics of the IPsec tunnel between the customer site and the remote user. Its attributes include the VPN group name and password, IP address pools, and split tunneling subnets. Additionally, the policy defines what VPN features are enabled and which are not.

For example, the policy enables (or disables) reverse route injection and NAT transparency.

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2