Cisco ASA 5505 Configuration Manual page 1400
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Mapping Certificates to IPsec or SSL VPN Connection Profiles
Add/Edit Tunnel Group > IPsec for Remote Access > IPsec
On the Add or Edit Tunnel Group dialog box for IPsec for Remote Access, the IPsec dialog box lets you
configure or edit IPsec-specific tunnel group parameters.
Fields
•
•
•
Note
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
64-90
Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The
maximum length of the pre-shared key is 128 characters.
Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a
representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific
configuration parameters, and an association with one enrolled identity certificate.
Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.
none—Specifies no authentication mode.
–
xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability
–
of authenticating a user within IKE using TACACS+ or RADIUS.
hybrid—Specifies the use of Hybrid mode, which lets you use digital certificates for security
–
appliance authentication and a different, legacy method—such as RADIUS, TACACS+ or
SecurID—for remote VPN user authentication. This mode breaks phase 1 of the Internet Key
Exchange (IKE) into the following steps, together called hybrid authentication:
The security appliance authenticates to the remote VPN user with standard public key
1.
techniques. This establishes an IKE security association that is unidirectionally authenticated.
An extended authentication (xauth) exchange then authenticates the remote VPN user. This
2.
extended authentication can use one of the supported legacy authentication methods.
Before setting the authentication type to hybrid, you must configure the authentication server
and create a pre-shared key.
IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked
only if supported by a certificate.
Enable sending certificate chain—Enables or disables sending the entire certificate chain. This
action includes the root certificate and any subordinate CA certificates in the transmission.
ISAKMP Keep Alive—Enables and configures ISAKMP keep alive monitoring.
Disable Keep Alives—Enables or disables ISAKMP keep alives.
–
Monitor Keep Alives—Enables or disables ISAKMP keep alive monitoring. Selecting this
–
option makes available the Confidence Interval and Retry Interval fields.
Confidence Interval—Specifies the ISAKMP keep alive confidence interval. This is the number
–
of seconds the adaptive security appliance should allow a peer to idle before beginning
keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default
for a remote access group is 300 seconds.
Retry Interval—Specifies number of seconds to wait between ISAKMP keep alive retries. The
–
default is 2 seconds.
Head end will never initiate keepalive monitoring—Specifies that the central-site adaptive
–
security appliance never initiates keepalive monitoring.
Interface-Specific Authentication Mode—Specifies the authentication mode on a per-interface
basis.
Chapter 64
General VPN Setup
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
