Configuring Ipsec Remote-Access Connection Profile Ppp Attributes - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Connection Profiles
The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the
default value for the retry parameter is 2.
To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the
following command:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)#
Step 8
Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.
You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication
when you need to use digital certificates for security appliance authentication and a different, legacy
method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH
breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:
a.
b.
Note
You can use the isakmp ikev1-user-authentication command with the optional interface parameter to
specify a particular interface. When you omit the interface parameter, the command applies to all the
interfaces and serves as a back-up when the per-interface command is not specified. When there are two
isakmp ikev1-user-authentication commands specified for a connection profile, and one uses the
interface parameter and one does not, the one specifying the interface takes precedence for that
particular interface.
For example, the following commands enable hybrid XAUTH on the inside interface for a connection
profile called example-group:
hostname(config)# tunnel-group example-group type remote-access
hostname(config)# tunnel-group example-group ipsec-attributes
hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybrid
hostname(config-tunnel-ipsec)#
Configuring IPSec Remote-Access Connection Profile PPP Attributes
To configure the Point-to-Point Protocol attributes for a remote-access connection profile, do the
following steps. PPP attributes apply only to IPSec remote-access connection profiles. The following
description assumes that you have already created the IPSec remote-access connection profile.
Enter tunnel-group ppp-attributes configuration mode, in which you configure the remote-access
Step 1
tunnel-group PPP attributes, by entering the following command. The prompt changes to indicate the
mode change:
hostname(config)# tunnel-group tunnel-group-name type remote-access
hostname(config)# tunnel-group tunnel-group-name ppp-attributes
hostname(config-tunnel-ppp)#
Cisco Security Appliance Command Line Configuration Guide
30-14
The security appliance authenticates to the remote VPN user with standard public key techniques.
This establishes an IKE security association that is unidirectionally authenticated.
An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use
one of the supported legacy authentication methods.
Before the authentication type can be set to hybrid, you must configure the authentication server,
create a preshared key, and configure a trustpoint.
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
