Cisco Systems VPN 3000 Tunnel Type, Remote Access Parameters, Group Lock

12 User Management

12-8 VPN 3000 Concentrator Series User Guide

To use IPSec with remote-access clients, you must assign an SA. With IPSec LAN-to-LAN connections,

the system ignores this selection and uses parameters from the Configuration | System | Tunneling Protocols

| IPSec LAN-to-LAN screens.

The VPN Concentrator supplies these default selections:

--None-- = No SA assigned. Select this option if you need to configure groups with several different

SAs.

ESP-DES-MD5 = This SA uses DES 56-bit data encryption for both the IKE tunnel and IPSec traffic,

ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128 authentication for the

IKE tunnel.

ESP-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption and ESP/MD5/HMAC-128

authentication for IPSec traffic, and DES-56 encryption and MD5/HMAC-128 authentication for

the IKE tunnel. This is the default selection.

ESP/IKE-3DES-MD5 = This SA uses Triple-DES 168-bit data encryption for both the IKE tunnel and

IPSec traffic, ESP/MD5/HMAC-128 authentication for IPSec traffic, and MD5/HMAC-128

authentication for the IKE tunnel.

ESP-3DES-NONE = This SA uses Triple-DES 168-bit data encryption and no authentication for IPSec

traffic, and DES-56 encryption and MD5/HMAC-128 authentication for the IKE tunnel.

ESP-L2TP-TRANSPORT = This SA uses DES 56-bit data encryption and ESP/MD5/HMAC-128

authentication for IPSec traffic (with ESP applied only to the transport layer segment), and it uses

Triple-DES 168-bit data encryption and MD5/HMAC-128 for the IKE tunnel. Use this SA with the

L2TP over IPSec tunneling protocol.

Additional SAs that you have configured also appear on the list.

Tunnel Type

Click the drop-down menu button and select the type of IPSec tunnel that clients use:

LAN-to-LAN = IPSec LAN-to-LAN connections between two VPN Concent rators (or between a VPN

Concentrator and another protocol-compliant security gateway). See Configuration | System | Tunneling

Protocols | IPSec LAN-to-LAN. If you select this type, ignore the rest of the parameters on this tab.

Remote Access = Remote IPSec client connections to the VPN Concentrator (the default). If you

select this type, configure Remote Access Parameters below.

Remote Access Parameters

These base-group parameters apply to remote-access IPSec client con nections only. If you select Remote

Access for Tunnel Type, configure these parameters.

Group Lock

Check the box to restrict users to remote access through this group only. The IPSec client connects to

the VPN Concentrator via a group name and password, and then the system authenticates a user via a

username and password. If this box is not checked (the default), the system authenticates a user with out

regard to the user’s assigned group.