Cisco Systems VPN 3000 IKE Proposal, Network Autodiscovery, Local Network

7 Tunneling Protocols

7-14 VPN 3000 Concentrator Series User Guide

IKE Proposal

This parameter specifies the set of attributes for Phase 1 IPSec negotiations, which are known as IKE

proposals. See the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen. You must

configure, activate, and prioritize IKE proposals before configuring LAN-to-LAN connections.

Click the drop-down menu button and select the IKE proposal. The list shows only active IKE proposals

in priority order. Cisco-supplied default active proposals are:

IKE-3DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use 3DES-168

encryption. Use D-H Group 2 to generate SA keys. This selection is the most secure, and it is the

default selection.

IKE-3DES-MD5-DH1 = Use preshared keys and MD5/HMAC-128 for authenticat ion. Use 3DES-168

encryption. Use D-H Group 1 to generate SA keys.

IKE-DES-MD5 = Use preshared keys and MD5/HMAC-128 for authentication. Use DES-56

encryption. Use D-H Group 1 to generate SA keys.

Network Autodiscovery

Check this box to use the VPN Concentrator network autodiscovery feature that dynamically discovers

and continuously updates the private network addresses on each side of the LAN-to-LAN connection.

This feature uses RIP, and Inbound RIP RIPv2/v1 must be enabled on the Ethernet 1 (Private) interface of

both VPN Concentrators. See Configuration | Interfaces. If you ch eck this box, skip the Local and Remote

Network parameters below; they are ignored.

Network autodiscovery is not allowed on a WAN interface.

Local Network

These entries identify the private network—on this VPN Concentrator —whose hosts can use the

LAN-to-LAN connection. These entries must match those in the Remote Network section on the peer VPN

Concentrator.

Network List

Click the drop-down menu button and select the configured network list that specifies the local network

addresses. A network list is a list of network addresses that are treated as a single object. See the

Configuration | Policy Management | Traffic Management | Network Lists screens. Otherwise, you can select:

Use IP Address/Wildcard-mask below, which lets you enter a network address.

Create new Network List (on Add screen only), which lets you create a network list of local net work

addresses. The Manager automatically opens the Configuration | System | Tunneling Protocols | IPSec

LAN-to-LAN | Add | Local Network List screen when you click Add; see description below.

If you select a configured network list, the Manager ignores entries in the IP Address and Wildcard Mask

fields.