Chapter 4 Remote Access VPN Services
Creating Remote Access VPN Policies
Table
| Field Name | Type | Instructions |
| |||
|
|
|
|
| |||
| Name | text box | Enter a name for the policy. However, the name cannot contain spaces because it is | ||||
|
|
|
|
| used as the VPN group name. | ||
|
|
|
|
| |||
| Owner | radio button | Click Customer > Select and choose the customer for which the remote access VPN | ||||
|
|
|
| and Select | is intended. When you click Customer > Select, the Customer for IPsec Policy dialog | ||
|
|
|
| button | box appears. Click the button next to the customer you want to select and click Select | ||
|
|
|
|
| (to choose that customer), or click Cancel to exit the dialog box without saving | ||
|
|
|
|
| changes. Both return you to the main page. | ||
|
|
|
|
| Do not select Global. It is important to associate remote access policies with a | ||
|
|
|
|
| specific customer because many remote access VPN parameters are | ||
|
|
|
|
| |||
|
|
|
|
| |||
| Encryption Policy | Select button | Choose the name of an encryption policy you created in previous steps by clicking | ||||
|
|
|
|
| Select. The encryption policy specifies the IKE and IPsec proposal parameters for the | ||
|
|
|
|
| IPsec VPN and determines the level of encryption used in the IPsec VPN tunnels. | ||
|
|
|
|
| |||
| Group Type | Select the policy type. An internal group is configured on the VPN device while an | |||||
|
|
|
| list | external group is configured on an external AAA server. | ||
|
|
|
|
| • Internal – Group attributes are on the target device. If the user profiles and group | ||
|
|
|
|
| attributes are maintained on the CPE device itself, select Internal. | ||
|
|
|
|
| • External – Group attributes are obtained from a AAA Server. If the user profiles | ||
|
|
|
|
| and group attributes are maintained on a AAA Server, select External. | ||
|
|
|
|
| |||
| Group Password | text box | Required when you select Internal for the Group Type field. Enter the password | ||||
|
|
|
|
| (IKE preshared key) for the group. The policy name and password are very important | ||
|
|
|
|
| because they are the group name and password that remote users must use when | ||
|
|
|
|
| connecting through the Cisco VPN Client. | ||
|
|
|
|
| |||
| Confirm Password | text box | |||||
|
|
|
|
| |||
| XAuth | checkbox | Check to enable IKE Extended Authentication (XAuth). | ||||
|
|
|
|
| |||
| XAuth Timeout | text box | Enter the idle timeout value for XAuth. The range is from 5 to 90 seconds. The default | ||||
|
|
|
|
| value is 5 seconds. | ||
|
|
|
|
| |||
| Use Mode | checkbox | Mode Configuration is also known as the ISAKMP Configuration Method or | ||||
| Configuration |
| Configuration Transaction. Specifically, when enabled, this option exchanges | ||||
|
|
|
|
| configuration parameters with the client while negotiating Security Associations | ||
|
|
|
|
| (SAs). | ||
|
|
|
|
| Check the Mode Configuration checkbox to use Mode Configuration with the IPsec | ||
|
|
|
|
| clients in this group. You must enable Mode Configuration for IPsec clients because | ||
|
|
|
|
| IPsec uses Mode Configuration to pass all configuration parameters to the client. | ||
|
|
|
|
| Otherwise, these parameters are not passed to the client. Also, you must check this | ||
|
|
|
|
| box to use split tunneling. | ||
|
|
|
|
| Uncheck the box if you are using L2TP over IPsec as your tunneling protocol. | ||
|
|
|
|
| Note The Cisco VPN Client supports Mode Configuration, but other IPsec clients | ||
|
|
|
|
| may not. For example, the Microsoft Windows 2000 IPsec client does not | ||
|
|
|
|
| support Mode Configuration. (The Windows 2000 client uses the PPP layer | ||
|
|
|
|
| above L2TP to receive its IP address from the VPN Concentrator.) If you are | ||
|
|
|
|
| using other client software packages, check for compatibility in the | ||
|
|
|
|
| documentation for your client software before using this option. | ||
|
|
|
|
|
|
| |
|
|
| Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2 | ||||
|
|
| |||||
|
|
|
|
|
|
|
|
|
|
|
|
| |||
|
|
|
|
| |||
