Cisco Systems OL-5532-02

4-8

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

OL-5532-02

Chapter4 Remote Access VPN Services

Creating Remote Access VPN Policies

Table4-2 Remote Access VPN Policy – General Editor Fields

Field Name Type Instructions

Name text box Enter a name for the policy. However, the name cannot contain spaces because it is

used as the VPN group name.

Owner radio button

and Select

button

Click Customer > Select and choose the customer for which the remote access VPN

is intended. When you click Customer > Select, the Customer for IPsec Policy dialog

box appears. Click the button next to the customer you want to select and click Select

(to choose that customer), or click Cancel to exit the dialog box without saving

changes. Both return you to the main page.

Do not select Global. It is important to associate remote access policies with a

specific customer because many remote access VPN parameters are

customer-specific.

Encryption Policy Select button Choose the name of an encryption policy you created in previous steps by clicking

Select. The encryption policy specifies the IKE and IPsec proposal parameters for the

IPsec VPN and determines the level of encryption used in the IPsec VPN tunnels.

Group Type drop-down

list

Select the policy type. An internal group is configured on the VPN device while an

external group is configured on an external AAA server.

•Internal – Group attributes are on the target device. If the user profiles and group

attributes are maintained on the CPE device itself, select Internal.

•External – Group attributes are obtained from a AAA Server. If the user profiles

and group attributes are maintained on a AAA Server, select External.

Group Password text box Required when you select Internal for the Group Type field. Enter the password

(IKE preshared key) for the group. The policy name and password are very important

because they are the group name and password that remote users must use when

connecting through the Cisco VPN Client.

Confirm Password text box Re-enter the group password to verify it.

XAuth checkbox Check to enable IKE Extended Authentication (XAuth).

XAuth Timeout text box Enter the idle timeout value for XAuth. The range is from 5 to 90 seconds. The default

value is 5 seconds.

Use Mode

Configuration

checkbox Mode Configuration is also known as the ISAKMP Configuration Method or

Configuration Transaction. Specifically, when enabled, this option exchanges

configuration parameters with the client while negotiating Security Associations

(SAs).

Check the Mode Configuration checkbox to use Mode Configuration with the IPsec

clients in this group. You must enable Mode Configuration for IPsec clients because

IPsec uses Mode Configuration to pass all configuration parameters to the client.

Otherwise, these parameters are not passed to the client. Also, you must check this

box to use split tunneling.

Uncheck the box if you are using L2TP over IPsec as your tunneling protocol.

Note The Cisco VPN Client supports Mode Configuration, but other IPsec clients

may not. For example, the Microsoft Windows 2000 IPsec client does not

support Mode Configuration. (The Windows 2000 client uses the PPP layer

above L2TP to receive its IP address from the VPN Concentrator.) If you are

using other client software packages, check for compatibility in the

documentation for your client software before using this option.